Windows Analysis Report
U8RYIwIvfK.exe

Overview

General Information

Sample Name: U8RYIwIvfK.exe
Analysis ID: 736964
MD5: 6f53598b9c19b30a0cf3ff0432301708
SHA1: 4bd8e67e468adfbfddd9e5a1e47fdf318bf9a31b
SHA256: 6d3397c687aea5017b90a5e96adc6fbfb0429d56a8b2ead1f1d4273994952379
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to communicate with device drivers
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection

barindex
Source: U8RYIwIvfK.exe ReversingLabs: Detection: 43%
Source: U8RYIwIvfK.exe Virustotal: Detection: 38% Perma Link
Source: Yara match File source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: https://tgc8x.tk/tt/ptrr.txt Avira URL Cloud: Label: phishing
Source: https://tgc8x.tk/tt/BLACKDEV.txt Avira URL Cloud: Label: phishing
Source: tgc8x.tk Virustotal: Detection: 5% Perma Link
Source: https://tgc8x.tk Virustotal: Detection: 6% Perma Link
Source: U8RYIwIvfK.exe Joe Sandbox ML: detected
Source: 3.0.aspnet_compiler.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.ept-egy.com/zx85/"], "decoy": ["myclassly.com", "rilcon.xyz", "miracleun.shop", "gadgetward-usa.com", "farmaacademy.com", "dreamsolutions.group", "fffood.online", "ziggnl.site", "cherpol.com", "imprescriptible-tienoscope.biz", "yztc.fun", "chicagonftweek.com", "zz0659.com", "hznaixi.com", "027-seo.net", "korlekded.com", "gelatoitaly.com", "finlitguru.com", "gupingapp.com", "manmakecoffee.com", "yuanwei.lol", "cargovoyager.com", "getjobzz.com", "dagatructiephd.com", "mynab.mobi", "masteralbert.com", "rtugwmt0cs.vip", "uscanvas.net", "nocrytech.com", "canadaroi.com", "archivegamer.com", "crossinspectionservices.com", "dxxws.com", "rufflyfedogtraining.com", "prgrn.dev", "bwdcourses.com", "criptomexico.com", "elisabethingram.online", "drationa.shop", "pulsarthermalscope.shop", "grcpp8vyuk.vip", "sh-whyyl.com", "in-cdn.xyz", "aquatabdouro.online", "handsomeshooterjewelry.com", "erug.store", "trueimpact.studio", "taskalso.com", "dzslqdz.xyz", "barbushing.com", "freightxpert.com", "777703.xyz", "bradysproducts.com", "teensforcp.site", "gpssystemecuador.com", "luxslides.com", "sony8ktv.monster", "baxiservisim.xyz", "lojascacau.com", "sfanci.com", "magdrade.com", "jobreadyfresher.com", "dori-maniacs.com", "mercydm.mobi"]}
Source: unknown HTTPS traffic detected: 50.115.174.192:443 -> 192.168.2.6:49701 version: TLS 1.2
Source: U8RYIwIvfK.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdbBSJB source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.267385039.0000000002640000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000003.00000003.268178554.0000000000F19000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.369800371.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.367713798.00000000028E9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: aspnet_compiler.exe, 00000003.00000003.366743571.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000000.367246738.00000000001B0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdb source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.267385039.0000000002640000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000003.00000003.268178554.0000000000F19000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000003.369800371.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.367713798.00000000028E9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: aspnet_compiler.pdb source: cmd.exe, 0000000E.00000002.524907250.00000000031EF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000002.521097994.00000000027ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BFXBNFDHDJNG.pdb source: U8RYIwIvfK.exe
Source: Binary string: cmd.pdb source: aspnet_compiler.exe, 00000003.00000003.366743571.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000000.367246738.00000000001B0000.00000040.80000000.00040000.00000000.sdmp
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001C245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 14_2_001C245C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001BB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 14_2_001BB89C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001C68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 14_2_001C68BA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001D31DC FindFirstFileW,FindNextFileW,FindClose, 14_2_001D31DC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001B85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 14_2_001B85EA
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_00A9B29C
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_00A97E20
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_00A97E44
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_00A97E5C
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_00A9BB1C
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_00A9B74C

Networking

barindex
Source: C:\Windows\explorer.exe Domain query: www.mercydm.mobi
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: Traffic Snort IDS: 2018856 ET TROJAN Windows executable base64 encoded 50.115.174.192:443 -> 192.168.2.6:49704
Source: Traffic Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.6:59575 -> 8.8.8.8:53
Source: Malware configuration extractor URLs: www.ept-egy.com/zx85/
Source: Joe Sandbox View ASN Name: VIRPUS VIRPUS
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global traffic HTTP traffic detected: GET /tt/ptrr.txt HTTP/1.1Host: tgc8x.tkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /tt/BLACKDEV.txt HTTP/1.1Host: tgc8x.tk
Source: global traffic HTTP traffic detected: GET /zx85/?Sl=JSAN+BGUWbFIio0Y6cR2moHwDIFZVOq3R3uV7C0AfntmXLYJvKIE34aC+rLPWCkZ7Yk0ST8b/A==&7ntH=U0D8yn_PIXqTt HTTP/1.1Host: www.mercydm.mobiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: Joe Sandbox View IP Address: 50.115.174.192 50.115.174.192
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 03 Nov 2022 11:41:36 GMTContent-Type: text/htmlContent-Length: 291ETag: "635276ab-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: U8RYIwIvfK.exe, 00000000.00000002.267402025.0000000002661000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: U8RYIwIvfK.exe, 00000000.00000002.267602853.0000000002677000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tgc8x.tk
Source: explorer.exe, 00000004.00000000.295686843.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.352239311.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.315487552.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.270907548.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.341973422.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: U8RYIwIvfK.exe, 00000000.00000002.267402025.0000000002661000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tgc8x.tk
Source: U8RYIwIvfK.exe, 00000000.00000002.267602853.0000000002677000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.268543578.0000000002755000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tgc8x.tk/tt/BLACKDEV.txt
Source: U8RYIwIvfK.exe, 00000000.00000002.268352878.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.267602853.0000000002677000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tgc8x.tk/tt/ptrr.txt
Source: U8RYIwIvfK.exe, 00000000.00000002.267402025.0000000002661000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tgc8x.tk4
Source: U8RYIwIvfK.exe, 00000000.00000002.268543578.0000000002755000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tgc8x.tkD8
Source: unknown DNS traffic detected: queries for: tgc8x.tk
Source: global traffic HTTP traffic detected: GET /tt/ptrr.txt HTTP/1.1Host: tgc8x.tkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /tt/BLACKDEV.txt HTTP/1.1Host: tgc8x.tk
Source: global traffic HTTP traffic detected: GET /zx85/?Sl=JSAN+BGUWbFIio0Y6cR2moHwDIFZVOq3R3uV7C0AfntmXLYJvKIE34aC+rLPWCkZ7Yk0ST8b/A==&7ntH=U0D8yn_PIXqTt HTTP/1.1Host: www.mercydm.mobiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown HTTPS traffic detected: 50.115.174.192:443 -> 192.168.2.6:49701 version: TLS 1.2

E-Banking Fraud

barindex
Source: Yara match File source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: U8RYIwIvfK.exe PID: 5840, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 6120, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmd.exe PID: 5916, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: U8RYIwIvfK.exe PID: 5840, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 6120, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 5916, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A928D0 0_2_00A928D0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A97820 0_2_00A97820
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A9D048 0_2_00A9D048
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A90448 0_2_00A90448
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A98188 0_2_00A98188
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A9E1E0 0_2_00A9E1E0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A94158 0_2_00A94158
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A98A20 0_2_00A98A20
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A9BE38 0_2_00A9BE38
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A93278 0_2_00A93278
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A9C7D0 0_2_00A9C7D0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A91F68 0_2_00A91F68
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A928C0 0_2_00A928C0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A98C20 0_2_00A98C20
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A90438 0_2_00A90438
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A9D031 0_2_00A9D031
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A98C30 0_2_00A98C30
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A95C00 0_2_00A95C00
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A97810 0_2_00A97810
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A9405F 0_2_00A9405F
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A9E1D3 0_2_00A9E1D3
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A96508 0_2_00A96508
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A96518 0_2_00A96518
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A98178 0_2_00A98178
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A96950 0_2_00A96950
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A962A8 0_2_00A962A8
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A91EB0 0_2_00A91EB0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A96298 0_2_00A96298
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A95EF1 0_2_00A95EF1
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A9BE28 0_2_00A9BE28
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A98A19 0_2_00A98A19
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A93268 0_2_00A93268
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A91271 0_2_00A91271
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A98672 0_2_00A98672
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A997E0 0_2_00A997E0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A95BF1 0_2_00A95BF1
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A997F0 0_2_00A997F0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A9C7C0 0_2_00A9C7C0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A95F00 0_2_00A95F00
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A92300 0_2_00A92300
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A92310 0_2_00A92310
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A98710 0_2_00A98710
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A96760 0_2_00A96760
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A96770 0_2_00A96770
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A91340 0_2_00A91340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DF900 3_2_010DF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A2D07 3_2_011A2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D0D20 3_2_010D0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010F4120 3_2_010F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A1D55 3_2_011A1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01102581 3_2_01102581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A25DD 3_2_011A25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010ED5E0 3_2_010ED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E841F 3_2_010E841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191002 3_2_01191002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010EB090 3_2_010EB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011020A0 3_2_011020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A20A8 3_2_011A20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A2B28 3_2_011A2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110EBB0 3_2_0110EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0119DBD2 3_2_0119DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A1FF1 3_2_011A1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010F6E30 3_2_010F6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A22AE 3_2_011A22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A2EF7 3_2_011A2EF7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001BD803 14_2_001BD803
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001BE040 14_2_001BE040
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001B9CF0 14_2_001B9CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001D5CEA 14_2_001D5CEA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001B48E6 14_2_001B48E6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001D3506 14_2_001D3506
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001C6550 14_2_001C6550
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001C1969 14_2_001C1969
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001B7190 14_2_001B7190
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001D31DC 14_2_001D31DC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001BFA30 14_2_001BFA30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001B5226 14_2_001B5226
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001B5E70 14_2_001B5E70
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001B8AD7 14_2_001B8AD7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001BCB48 14_2_001BCB48
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001C5FC8 14_2_001C5FC8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001D6FF0 14_2_001D6FF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D12EF7 14_2_02D12EF7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D122AE 14_2_02D122AE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C66E30 14_2_02C66E30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D0DBD2 14_2_02D0DBD2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D11FF1 14_2_02D11FF1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7EBB0 14_2_02C7EBB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D12B28 14_2_02D12B28
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D128EC 14_2_02D128EC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C5B090 14_2_02C5B090
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C720A0 14_2_02C720A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D120A8 14_2_02D120A8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D0D466 14_2_02D0D466
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01002 14_2_02D01002
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C5841F 14_2_02C5841F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D125DD 14_2_02D125DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: String function: 010DB150 appears 35 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001C374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle, 14_2_001C374E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_01119910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119540 NtReadFile,LdrInitializeThunk, 3_2_01119540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011199A0 NtCreateSection,LdrInitializeThunk, 3_2_011199A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011195D0 NtClose,LdrInitializeThunk, 3_2_011195D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119840 NtDelayExecution,LdrInitializeThunk, 3_2_01119840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_01119860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011198F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_011198F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119710 NtQueryInformationToken,LdrInitializeThunk, 3_2_01119710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119780 NtMapViewOfSection,LdrInitializeThunk, 3_2_01119780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011197A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_011197A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_01119A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119A20 NtResumeThread,LdrInitializeThunk, 3_2_01119A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119A50 NtCreateFile,LdrInitializeThunk, 3_2_01119A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_01119660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011196E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_011196E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0111AD30 NtSetContextThread, 3_2_0111AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119520 NtWaitForSingleObject, 3_2_01119520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119950 NtQueueApcThread, 3_2_01119950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119560 NtWriteFile, 3_2_01119560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011199D0 NtCreateProcessEx, 3_2_011199D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011195F0 NtQueryInformationFile, 3_2_011195F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119820 NtEnumerateKey, 3_2_01119820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0111B040 NtSuspendThread, 3_2_0111B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011198A0 NtWriteVirtualMemory, 3_2_011198A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0111A710 NtOpenProcessToken, 3_2_0111A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119B00 NtSetValueKey, 3_2_01119B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119730 NtQueryVirtualMemory, 3_2_01119730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119770 NtSetInformationFile, 3_2_01119770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0111A770 NtOpenThread, 3_2_0111A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119760 NtOpenProcess, 3_2_01119760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0111A3B0 NtGetContextThread, 3_2_0111A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119FE0 NtCreateMutant, 3_2_01119FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119610 NtEnumerateValueKey, 3_2_01119610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119A10 NtQuerySection, 3_2_01119A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119650 NtQueryValueKey, 3_2_01119650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119670 NtQueryInformationProcess, 3_2_01119670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119A80 NtOpenDirectoryObject, 3_2_01119A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011196D0 NtCreateKey, 3_2_011196D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001BB42E NtOpenThreadToken,NtOpenProcessToken,NtClose, 14_2_001BB42E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001B84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 14_2_001B84BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001B58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp, 14_2_001B58A4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001BB4C0 NtQueryInformationToken, 14_2_001BB4C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001BB4F8 NtQueryInformationToken,NtQueryInformationToken, 14_2_001BB4F8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001D6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 14_2_001D6D90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001DB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 14_2_001DB5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001D9AB4 NtSetInformationFile, 14_2_001D9AB4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001B83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError, 14_2_001B83F2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C896D0 NtCreateKey,LdrInitializeThunk, 14_2_02C896D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C896E0 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_02C896E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89A50 NtCreateFile,LdrInitializeThunk, 14_2_02C89A50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89FE0 NtCreateMutant,LdrInitializeThunk, 14_2_02C89FE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89780 NtMapViewOfSection,LdrInitializeThunk, 14_2_02C89780
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89710 NtQueryInformationToken,LdrInitializeThunk, 14_2_02C89710
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89840 NtDelayExecution,LdrInitializeThunk, 14_2_02C89840
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89860 NtQuerySystemInformation,LdrInitializeThunk, 14_2_02C89860
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C895D0 NtClose,LdrInitializeThunk, 14_2_02C895D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C899A0 NtCreateSection,LdrInitializeThunk, 14_2_02C899A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89540 NtReadFile,LdrInitializeThunk, 14_2_02C89540
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89910 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_02C89910
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89A80 NtOpenDirectoryObject, 14_2_02C89A80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89650 NtQueryValueKey, 14_2_02C89650
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89660 NtAllocateVirtualMemory, 14_2_02C89660
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89670 NtQueryInformationProcess, 14_2_02C89670
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89A00 NtProtectVirtualMemory, 14_2_02C89A00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89610 NtEnumerateValueKey, 14_2_02C89610
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89A10 NtQuerySection, 14_2_02C89A10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89A20 NtResumeThread, 14_2_02C89A20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C897A0 NtUnmapViewOfSection, 14_2_02C897A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C8A3B0 NtGetContextThread, 14_2_02C8A3B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89760 NtOpenProcess, 14_2_02C89760
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89770 NtSetInformationFile, 14_2_02C89770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C8A770 NtOpenThread, 14_2_02C8A770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89B00 NtSetValueKey, 14_2_02C89B00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C8A710 NtOpenProcessToken, 14_2_02C8A710
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89730 NtQueryVirtualMemory, 14_2_02C89730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C898F0 NtReadVirtualMemory, 14_2_02C898F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C898A0 NtWriteVirtualMemory, 14_2_02C898A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C8B040 NtSuspendThread, 14_2_02C8B040
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C89820 NtEnumerateKey, 14_2_02C89820
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C899D0 NtCreateProcessEx, 14_2_02C899D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001C6550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z, 14_2_001C6550
Source: U8RYIwIvfK.exe, 00000000.00000002.268661808.00000000027CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameResourceAssembly.dllD vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBLACKDEVIL.dll6 vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameResourceAssembly.dllD vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe, 00000000.00000002.270167815.0000000004BA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameResourceAssembly.dllD vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe, 00000000.00000000.252749623.0000000000254000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBFXBNFDHDJNG.exe: vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe, 00000000.00000002.268746824.00000000027DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameResourceAssembly.dllD vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe, 00000000.00000002.267385039.0000000002640000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameBLACKDEVIL.dll6 vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe, 00000000.00000002.268762286.00000000027E8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameResourceAssembly.dllD vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe Binary or memory string: OriginalFilenameBFXBNFDHDJNG.exe: vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe ReversingLabs: Detection: 43%
Source: U8RYIwIvfK.exe Virustotal: Detection: 38%
Source: U8RYIwIvfK.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\U8RYIwIvfK.exe C:\Users\user\Desktop\U8RYIwIvfK.exe
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\U8RYIwIvfK.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/1@2/2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001DA0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z, 14_2_001DA0D2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001BC5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit, 14_2_001BC5CA
Source: U8RYIwIvfK.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_01
Source: U8RYIwIvfK.exe, u206f????????????????????????????????????????.cs Cryptographic APIs: 'CreateDecryptor'
Source: U8RYIwIvfK.exe, u206f????????????????????????????????????????.cs Cryptographic APIs: 'TransformBlock'
Source: U8RYIwIvfK.exe, u206f????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.U8RYIwIvfK.exe.240000.0.unpack, u206f????????????????????????????????????????.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.U8RYIwIvfK.exe.240000.0.unpack, u206f????????????????????????????????????????.cs Cryptographic APIs: 'TransformBlock'
Source: 0.0.U8RYIwIvfK.exe.240000.0.unpack, u206f????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: U8RYIwIvfK.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: U8RYIwIvfK.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: U8RYIwIvfK.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdbBSJB source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.267385039.0000000002640000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000003.00000003.268178554.0000000000F19000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.369800371.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.367713798.00000000028E9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: aspnet_compiler.exe, 00000003.00000003.366743571.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000000.367246738.00000000001B0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdb source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.267385039.0000000002640000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000003.00000003.268178554.0000000000F19000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000003.369800371.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.367713798.00000000028E9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: aspnet_compiler.pdb source: cmd.exe, 0000000E.00000002.524907250.00000000031EF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000002.521097994.00000000027ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BFXBNFDHDJNG.pdb source: U8RYIwIvfK.exe
Source: Binary string: cmd.pdb source: aspnet_compiler.exe, 00000003.00000003.366743571.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000000.367246738.00000000001B0000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

barindex
Source: U8RYIwIvfK.exe, u206a????????????????????????????????????????.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.U8RYIwIvfK.exe.240000.0.unpack, u206a????????????????????????????????????????.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A9392A push dword ptr [ecx]; iretd 0_2_00A9393D
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A9A25E push 11BA938Bh; iretd 0_2_00A9A266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0112D0D1 push ecx; ret 3_2_0112D0E4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001C76BD push ecx; ret 14_2_001C76D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001C76D1 push ecx; ret 14_2_001C76E4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C9D0D1 push ecx; ret 14_2_02C9D0E4

Hooking and other Techniques for Hiding and Protection

barindex
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE9
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe RDTSC instruction interceptor: First address: 0000000000129904 second address: 000000000012990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe RDTSC instruction interceptor: First address: 0000000000129B6E second address: 0000000000129B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe TID: 1104 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe TID: 3724 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01116DE6 rdtsc 3_2_01116DE6
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe API coverage: 5.3 %
Source: C:\Windows\SysWOW64\cmd.exe API coverage: 0.7 %
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001C245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 14_2_001C245C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001BB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 14_2_001BB89C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001C68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 14_2_001C68BA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001D31DC FindFirstFileW,FindNextFileW,FindClose, 14_2_001D31DC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001B85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 14_2_001B85EA
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000004.00000000.328931675.00000000084D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.344274153.00000000045B0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.351265830.00000000081DD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
Source: explorer.exe, 00000004.00000000.320881970.0000000006710000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: explorer.exe, 00000004.00000000.326654154.0000000008304000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.294164608.00000000082B2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.351359914.0000000008200000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&

Anti Debugging

barindex
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Code function: 0_2_00A9B950 CheckRemoteDebuggerPresent, 0_2_00A9B950
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001D2258 IsDebuggerPresent, 14_2_001D2258
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001BAC30 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap, 14_2_001BAC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01116DE6 rdtsc 3_2_01116DE6
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D9100 mov eax, dword ptr fs:[00000030h] 3_2_010D9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D9100 mov eax, dword ptr fs:[00000030h] 3_2_010D9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D9100 mov eax, dword ptr fs:[00000030h] 3_2_010D9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0119E539 mov eax, dword ptr fs:[00000030h] 3_2_0119E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0115A537 mov eax, dword ptr fs:[00000030h] 3_2_0115A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110513A mov eax, dword ptr fs:[00000030h] 3_2_0110513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110513A mov eax, dword ptr fs:[00000030h] 3_2_0110513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01104D3B mov eax, dword ptr fs:[00000030h] 3_2_01104D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01104D3B mov eax, dword ptr fs:[00000030h] 3_2_01104D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01104D3B mov eax, dword ptr fs:[00000030h] 3_2_01104D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A8D34 mov eax, dword ptr fs:[00000030h] 3_2_011A8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010F4120 mov eax, dword ptr fs:[00000030h] 3_2_010F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010F4120 mov eax, dword ptr fs:[00000030h] 3_2_010F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010F4120 mov eax, dword ptr fs:[00000030h] 3_2_010F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010F4120 mov eax, dword ptr fs:[00000030h] 3_2_010F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010F4120 mov ecx, dword ptr fs:[00000030h] 3_2_010F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h] 3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h] 3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h] 3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h] 3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h] 3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h] 3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h] 3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h] 3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h] 3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h] 3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h] 3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h] 3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h] 3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DAD30 mov eax, dword ptr fs:[00000030h] 3_2_010DAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010FB944 mov eax, dword ptr fs:[00000030h] 3_2_010FB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010FB944 mov eax, dword ptr fs:[00000030h] 3_2_010FB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01113D43 mov eax, dword ptr fs:[00000030h] 3_2_01113D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01153540 mov eax, dword ptr fs:[00000030h] 3_2_01153540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010F7D50 mov eax, dword ptr fs:[00000030h] 3_2_010F7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DC962 mov eax, dword ptr fs:[00000030h] 3_2_010DC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010FC577 mov eax, dword ptr fs:[00000030h] 3_2_010FC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010FC577 mov eax, dword ptr fs:[00000030h] 3_2_010FC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DB171 mov eax, dword ptr fs:[00000030h] 3_2_010DB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DB171 mov eax, dword ptr fs:[00000030h] 3_2_010DB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01102990 mov eax, dword ptr fs:[00000030h] 3_2_01102990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D2D8A mov eax, dword ptr fs:[00000030h] 3_2_010D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D2D8A mov eax, dword ptr fs:[00000030h] 3_2_010D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D2D8A mov eax, dword ptr fs:[00000030h] 3_2_010D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D2D8A mov eax, dword ptr fs:[00000030h] 3_2_010D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D2D8A mov eax, dword ptr fs:[00000030h] 3_2_010D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110FD9B mov eax, dword ptr fs:[00000030h] 3_2_0110FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110FD9B mov eax, dword ptr fs:[00000030h] 3_2_0110FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010FC182 mov eax, dword ptr fs:[00000030h] 3_2_010FC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01102581 mov eax, dword ptr fs:[00000030h] 3_2_01102581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01102581 mov eax, dword ptr fs:[00000030h] 3_2_01102581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01102581 mov eax, dword ptr fs:[00000030h] 3_2_01102581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01102581 mov eax, dword ptr fs:[00000030h] 3_2_01102581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110A185 mov eax, dword ptr fs:[00000030h] 3_2_0110A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01101DB5 mov eax, dword ptr fs:[00000030h] 3_2_01101DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01101DB5 mov eax, dword ptr fs:[00000030h] 3_2_01101DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01101DB5 mov eax, dword ptr fs:[00000030h] 3_2_01101DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011551BE mov eax, dword ptr fs:[00000030h] 3_2_011551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011551BE mov eax, dword ptr fs:[00000030h] 3_2_011551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011551BE mov eax, dword ptr fs:[00000030h] 3_2_011551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011551BE mov eax, dword ptr fs:[00000030h] 3_2_011551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011061A0 mov eax, dword ptr fs:[00000030h] 3_2_011061A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011061A0 mov eax, dword ptr fs:[00000030h] 3_2_011061A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011035A1 mov eax, dword ptr fs:[00000030h] 3_2_011035A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011569A6 mov eax, dword ptr fs:[00000030h] 3_2_011569A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A05AC mov eax, dword ptr fs:[00000030h] 3_2_011A05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A05AC mov eax, dword ptr fs:[00000030h] 3_2_011A05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01156DC9 mov eax, dword ptr fs:[00000030h] 3_2_01156DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01156DC9 mov eax, dword ptr fs:[00000030h] 3_2_01156DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01156DC9 mov eax, dword ptr fs:[00000030h] 3_2_01156DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01156DC9 mov ecx, dword ptr fs:[00000030h] 3_2_01156DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01156DC9 mov eax, dword ptr fs:[00000030h] 3_2_01156DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01156DC9 mov eax, dword ptr fs:[00000030h] 3_2_01156DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01188DF1 mov eax, dword ptr fs:[00000030h] 3_2_01188DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DB1E1 mov eax, dword ptr fs:[00000030h] 3_2_010DB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DB1E1 mov eax, dword ptr fs:[00000030h] 3_2_010DB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DB1E1 mov eax, dword ptr fs:[00000030h] 3_2_010DB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010ED5E0 mov eax, dword ptr fs:[00000030h] 3_2_010ED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010ED5E0 mov eax, dword ptr fs:[00000030h] 3_2_010ED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0119FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0119FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0119FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0119FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0119FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0119FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0119FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0119FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011641E8 mov eax, dword ptr fs:[00000030h] 3_2_011641E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01157016 mov eax, dword ptr fs:[00000030h] 3_2_01157016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01157016 mov eax, dword ptr fs:[00000030h] 3_2_01157016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01157016 mov eax, dword ptr fs:[00000030h] 3_2_01157016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A4015 mov eax, dword ptr fs:[00000030h] 3_2_011A4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A4015 mov eax, dword ptr fs:[00000030h] 3_2_011A4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A740D mov eax, dword ptr fs:[00000030h] 3_2_011A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A740D mov eax, dword ptr fs:[00000030h] 3_2_011A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A740D mov eax, dword ptr fs:[00000030h] 3_2_011A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h] 3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h] 3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h] 3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h] 3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h] 3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h] 3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h] 3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h] 3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h] 3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h] 3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h] 3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h] 3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h] 3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h] 3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01156C0A mov eax, dword ptr fs:[00000030h] 3_2_01156C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01156C0A mov eax, dword ptr fs:[00000030h] 3_2_01156C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01156C0A mov eax, dword ptr fs:[00000030h] 3_2_01156C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01156C0A mov eax, dword ptr fs:[00000030h] 3_2_01156C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010EB02A mov eax, dword ptr fs:[00000030h] 3_2_010EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010EB02A mov eax, dword ptr fs:[00000030h] 3_2_010EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010EB02A mov eax, dword ptr fs:[00000030h] 3_2_010EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010EB02A mov eax, dword ptr fs:[00000030h] 3_2_010EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110BC2C mov eax, dword ptr fs:[00000030h] 3_2_0110BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110002D mov eax, dword ptr fs:[00000030h] 3_2_0110002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110002D mov eax, dword ptr fs:[00000030h] 3_2_0110002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110002D mov eax, dword ptr fs:[00000030h] 3_2_0110002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110002D mov eax, dword ptr fs:[00000030h] 3_2_0110002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110002D mov eax, dword ptr fs:[00000030h] 3_2_0110002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0116C450 mov eax, dword ptr fs:[00000030h] 3_2_0116C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0116C450 mov eax, dword ptr fs:[00000030h] 3_2_0116C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110A44B mov eax, dword ptr fs:[00000030h] 3_2_0110A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010F0050 mov eax, dword ptr fs:[00000030h] 3_2_010F0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010F0050 mov eax, dword ptr fs:[00000030h] 3_2_010F0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010F746D mov eax, dword ptr fs:[00000030h] 3_2_010F746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01192073 mov eax, dword ptr fs:[00000030h] 3_2_01192073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A1074 mov eax, dword ptr fs:[00000030h] 3_2_011A1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D9080 mov eax, dword ptr fs:[00000030h] 3_2_010D9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01153884 mov eax, dword ptr fs:[00000030h] 3_2_01153884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01153884 mov eax, dword ptr fs:[00000030h] 3_2_01153884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E849B mov eax, dword ptr fs:[00000030h] 3_2_010E849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110F0BF mov ecx, dword ptr fs:[00000030h] 3_2_0110F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110F0BF mov eax, dword ptr fs:[00000030h] 3_2_0110F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110F0BF mov eax, dword ptr fs:[00000030h] 3_2_0110F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h] 3_2_011020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h] 3_2_011020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h] 3_2_011020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h] 3_2_011020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h] 3_2_011020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h] 3_2_011020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011190AF mov eax, dword ptr fs:[00000030h] 3_2_011190AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0116B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0116B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0116B8D0 mov ecx, dword ptr fs:[00000030h] 3_2_0116B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0116B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0116B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0116B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0116B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0116B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0116B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0116B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0116B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A8CD6 mov eax, dword ptr fs:[00000030h] 3_2_011A8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D58EC mov eax, dword ptr fs:[00000030h] 3_2_010D58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011914FB mov eax, dword ptr fs:[00000030h] 3_2_011914FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01156CF0 mov eax, dword ptr fs:[00000030h] 3_2_01156CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01156CF0 mov eax, dword ptr fs:[00000030h] 3_2_01156CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01156CF0 mov eax, dword ptr fs:[00000030h] 3_2_01156CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0119131B mov eax, dword ptr fs:[00000030h] 3_2_0119131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0116FF10 mov eax, dword ptr fs:[00000030h] 3_2_0116FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0116FF10 mov eax, dword ptr fs:[00000030h] 3_2_0116FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A070D mov eax, dword ptr fs:[00000030h] 3_2_011A070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A070D mov eax, dword ptr fs:[00000030h] 3_2_011A070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010FF716 mov eax, dword ptr fs:[00000030h] 3_2_010FF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110A70E mov eax, dword ptr fs:[00000030h] 3_2_0110A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110A70E mov eax, dword ptr fs:[00000030h] 3_2_0110A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110E730 mov eax, dword ptr fs:[00000030h] 3_2_0110E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D4F2E mov eax, dword ptr fs:[00000030h] 3_2_010D4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D4F2E mov eax, dword ptr fs:[00000030h] 3_2_010D4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A8B58 mov eax, dword ptr fs:[00000030h] 3_2_011A8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DDB40 mov eax, dword ptr fs:[00000030h] 3_2_010DDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010EEF40 mov eax, dword ptr fs:[00000030h] 3_2_010EEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DF358 mov eax, dword ptr fs:[00000030h] 3_2_010DF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01103B7A mov eax, dword ptr fs:[00000030h] 3_2_01103B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01103B7A mov eax, dword ptr fs:[00000030h] 3_2_01103B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DDB60 mov ecx, dword ptr fs:[00000030h] 3_2_010DDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010EFF60 mov eax, dword ptr fs:[00000030h] 3_2_010EFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A8F6A mov eax, dword ptr fs:[00000030h] 3_2_011A8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110B390 mov eax, dword ptr fs:[00000030h] 3_2_0110B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E1B8F mov eax, dword ptr fs:[00000030h] 3_2_010E1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E1B8F mov eax, dword ptr fs:[00000030h] 3_2_010E1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01157794 mov eax, dword ptr fs:[00000030h] 3_2_01157794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01157794 mov eax, dword ptr fs:[00000030h] 3_2_01157794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01157794 mov eax, dword ptr fs:[00000030h] 3_2_01157794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01102397 mov eax, dword ptr fs:[00000030h] 3_2_01102397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0119138A mov eax, dword ptr fs:[00000030h] 3_2_0119138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0118D380 mov ecx, dword ptr fs:[00000030h] 3_2_0118D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E8794 mov eax, dword ptr fs:[00000030h] 3_2_010E8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01104BAD mov eax, dword ptr fs:[00000030h] 3_2_01104BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01104BAD mov eax, dword ptr fs:[00000030h] 3_2_01104BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01104BAD mov eax, dword ptr fs:[00000030h] 3_2_01104BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A5BA5 mov eax, dword ptr fs:[00000030h] 3_2_011A5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011553CA mov eax, dword ptr fs:[00000030h] 3_2_011553CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011553CA mov eax, dword ptr fs:[00000030h] 3_2_011553CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011137F5 mov eax, dword ptr fs:[00000030h] 3_2_011137F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010FDBE9 mov eax, dword ptr fs:[00000030h] 3_2_010FDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h] 3_2_011003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h] 3_2_011003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h] 3_2_011003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h] 3_2_011003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h] 3_2_011003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h] 3_2_011003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E8A0A mov eax, dword ptr fs:[00000030h] 3_2_010E8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110A61C mov eax, dword ptr fs:[00000030h] 3_2_0110A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110A61C mov eax, dword ptr fs:[00000030h] 3_2_0110A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DC600 mov eax, dword ptr fs:[00000030h] 3_2_010DC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DC600 mov eax, dword ptr fs:[00000030h] 3_2_010DC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DC600 mov eax, dword ptr fs:[00000030h] 3_2_010DC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01108E00 mov eax, dword ptr fs:[00000030h] 3_2_01108E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01191608 mov eax, dword ptr fs:[00000030h] 3_2_01191608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010F3A1C mov eax, dword ptr fs:[00000030h] 3_2_010F3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DAA16 mov eax, dword ptr fs:[00000030h] 3_2_010DAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DAA16 mov eax, dword ptr fs:[00000030h] 3_2_010DAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D5210 mov eax, dword ptr fs:[00000030h] 3_2_010D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D5210 mov ecx, dword ptr fs:[00000030h] 3_2_010D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D5210 mov eax, dword ptr fs:[00000030h] 3_2_010D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D5210 mov eax, dword ptr fs:[00000030h] 3_2_010D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0118FE3F mov eax, dword ptr fs:[00000030h] 3_2_0118FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010DE620 mov eax, dword ptr fs:[00000030h] 3_2_010DE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01114A2C mov eax, dword ptr fs:[00000030h] 3_2_01114A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01114A2C mov eax, dword ptr fs:[00000030h] 3_2_01114A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01164257 mov eax, dword ptr fs:[00000030h] 3_2_01164257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0119EA55 mov eax, dword ptr fs:[00000030h] 3_2_0119EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D9240 mov eax, dword ptr fs:[00000030h] 3_2_010D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D9240 mov eax, dword ptr fs:[00000030h] 3_2_010D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D9240 mov eax, dword ptr fs:[00000030h] 3_2_010D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D9240 mov eax, dword ptr fs:[00000030h] 3_2_010D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h] 3_2_010E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h] 3_2_010E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h] 3_2_010E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h] 3_2_010E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h] 3_2_010E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h] 3_2_010E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0119AE44 mov eax, dword ptr fs:[00000030h] 3_2_0119AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0119AE44 mov eax, dword ptr fs:[00000030h] 3_2_0119AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E766D mov eax, dword ptr fs:[00000030h] 3_2_010E766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0111927A mov eax, dword ptr fs:[00000030h] 3_2_0111927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0118B260 mov eax, dword ptr fs:[00000030h] 3_2_0118B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0118B260 mov eax, dword ptr fs:[00000030h] 3_2_0118B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A8A62 mov eax, dword ptr fs:[00000030h] 3_2_011A8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010FAE73 mov eax, dword ptr fs:[00000030h] 3_2_010FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010FAE73 mov eax, dword ptr fs:[00000030h] 3_2_010FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010FAE73 mov eax, dword ptr fs:[00000030h] 3_2_010FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010FAE73 mov eax, dword ptr fs:[00000030h] 3_2_010FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010FAE73 mov eax, dword ptr fs:[00000030h] 3_2_010FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110D294 mov eax, dword ptr fs:[00000030h] 3_2_0110D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110D294 mov eax, dword ptr fs:[00000030h] 3_2_0110D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0116FE87 mov eax, dword ptr fs:[00000030h] 3_2_0116FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0110FAB0 mov eax, dword ptr fs:[00000030h] 3_2_0110FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D52A5 mov eax, dword ptr fs:[00000030h] 3_2_010D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D52A5 mov eax, dword ptr fs:[00000030h] 3_2_010D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D52A5 mov eax, dword ptr fs:[00000030h] 3_2_010D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D52A5 mov eax, dword ptr fs:[00000030h] 3_2_010D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010D52A5 mov eax, dword ptr fs:[00000030h] 3_2_010D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011546A7 mov eax, dword ptr fs:[00000030h] 3_2_011546A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010EAAB0 mov eax, dword ptr fs:[00000030h] 3_2_010EAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010EAAB0 mov eax, dword ptr fs:[00000030h] 3_2_010EAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A0EA5 mov eax, dword ptr fs:[00000030h] 3_2_011A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A0EA5 mov eax, dword ptr fs:[00000030h] 3_2_011A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A0EA5 mov eax, dword ptr fs:[00000030h] 3_2_011A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011A8ED6 mov eax, dword ptr fs:[00000030h] 3_2_011A8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01118EC7 mov eax, dword ptr fs:[00000030h] 3_2_01118EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_0118FEC0 mov eax, dword ptr fs:[00000030h] 3_2_0118FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01102ACB mov eax, dword ptr fs:[00000030h] 3_2_01102ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011036CC mov eax, dword ptr fs:[00000030h] 3_2_011036CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_010E76E2 mov eax, dword ptr fs:[00000030h] 3_2_010E76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_011016E0 mov ecx, dword ptr fs:[00000030h] 3_2_011016E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01102AE4 mov eax, dword ptr fs:[00000030h] 3_2_01102AE4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001DB5E0 mov eax, dword ptr fs:[00000030h] 14_2_001DB5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D18ED6 mov eax, dword ptr fs:[00000030h] 14_2_02D18ED6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C736CC mov eax, dword ptr fs:[00000030h] 14_2_02C736CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C72ACB mov eax, dword ptr fs:[00000030h] 14_2_02C72ACB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CFFEC0 mov eax, dword ptr fs:[00000030h] 14_2_02CFFEC0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C88EC7 mov eax, dword ptr fs:[00000030h] 14_2_02C88EC7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C72AE4 mov eax, dword ptr fs:[00000030h] 14_2_02C72AE4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C716E0 mov ecx, dword ptr fs:[00000030h] 14_2_02C716E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C576E2 mov eax, dword ptr fs:[00000030h] 14_2_02C576E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CDFE87 mov eax, dword ptr fs:[00000030h] 14_2_02CDFE87
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7D294 mov eax, dword ptr fs:[00000030h] 14_2_02C7D294
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7D294 mov eax, dword ptr fs:[00000030h] 14_2_02C7D294
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C452A5 mov eax, dword ptr fs:[00000030h] 14_2_02C452A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C452A5 mov eax, dword ptr fs:[00000030h] 14_2_02C452A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C452A5 mov eax, dword ptr fs:[00000030h] 14_2_02C452A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C452A5 mov eax, dword ptr fs:[00000030h] 14_2_02C452A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C452A5 mov eax, dword ptr fs:[00000030h] 14_2_02C452A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC46A7 mov eax, dword ptr fs:[00000030h] 14_2_02CC46A7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D10EA5 mov eax, dword ptr fs:[00000030h] 14_2_02D10EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D10EA5 mov eax, dword ptr fs:[00000030h] 14_2_02D10EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D10EA5 mov eax, dword ptr fs:[00000030h] 14_2_02D10EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C5AAB0 mov eax, dword ptr fs:[00000030h] 14_2_02C5AAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C5AAB0 mov eax, dword ptr fs:[00000030h] 14_2_02C5AAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7FAB0 mov eax, dword ptr fs:[00000030h] 14_2_02C7FAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C49240 mov eax, dword ptr fs:[00000030h] 14_2_02C49240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C49240 mov eax, dword ptr fs:[00000030h] 14_2_02C49240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C49240 mov eax, dword ptr fs:[00000030h] 14_2_02C49240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C49240 mov eax, dword ptr fs:[00000030h] 14_2_02C49240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h] 14_2_02C57E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h] 14_2_02C57E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h] 14_2_02C57E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h] 14_2_02C57E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h] 14_2_02C57E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h] 14_2_02C57E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D0EA55 mov eax, dword ptr fs:[00000030h] 14_2_02D0EA55
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D0AE44 mov eax, dword ptr fs:[00000030h] 14_2_02D0AE44
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D0AE44 mov eax, dword ptr fs:[00000030h] 14_2_02D0AE44
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CD4257 mov eax, dword ptr fs:[00000030h] 14_2_02CD4257
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C5766D mov eax, dword ptr fs:[00000030h] 14_2_02C5766D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CFB260 mov eax, dword ptr fs:[00000030h] 14_2_02CFB260
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CFB260 mov eax, dword ptr fs:[00000030h] 14_2_02CFB260
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C8927A mov eax, dword ptr fs:[00000030h] 14_2_02C8927A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D18A62 mov eax, dword ptr fs:[00000030h] 14_2_02D18A62
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C6AE73 mov eax, dword ptr fs:[00000030h] 14_2_02C6AE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C6AE73 mov eax, dword ptr fs:[00000030h] 14_2_02C6AE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C6AE73 mov eax, dword ptr fs:[00000030h] 14_2_02C6AE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C6AE73 mov eax, dword ptr fs:[00000030h] 14_2_02C6AE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C6AE73 mov eax, dword ptr fs:[00000030h] 14_2_02C6AE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C4C600 mov eax, dword ptr fs:[00000030h] 14_2_02C4C600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C4C600 mov eax, dword ptr fs:[00000030h] 14_2_02C4C600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C4C600 mov eax, dword ptr fs:[00000030h] 14_2_02C4C600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C78E00 mov eax, dword ptr fs:[00000030h] 14_2_02C78E00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C58A0A mov eax, dword ptr fs:[00000030h] 14_2_02C58A0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C4AA16 mov eax, dword ptr fs:[00000030h] 14_2_02C4AA16
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C4AA16 mov eax, dword ptr fs:[00000030h] 14_2_02C4AA16
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C45210 mov eax, dword ptr fs:[00000030h] 14_2_02C45210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C45210 mov ecx, dword ptr fs:[00000030h] 14_2_02C45210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C45210 mov eax, dword ptr fs:[00000030h] 14_2_02C45210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C45210 mov eax, dword ptr fs:[00000030h] 14_2_02C45210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01608 mov eax, dword ptr fs:[00000030h] 14_2_02D01608
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C63A1C mov eax, dword ptr fs:[00000030h] 14_2_02C63A1C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7A61C mov eax, dword ptr fs:[00000030h] 14_2_02C7A61C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7A61C mov eax, dword ptr fs:[00000030h] 14_2_02C7A61C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C4E620 mov eax, dword ptr fs:[00000030h] 14_2_02C4E620
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C84A2C mov eax, dword ptr fs:[00000030h] 14_2_02C84A2C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C84A2C mov eax, dword ptr fs:[00000030h] 14_2_02C84A2C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CFFE3F mov eax, dword ptr fs:[00000030h] 14_2_02CFFE3F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC53CA mov eax, dword ptr fs:[00000030h] 14_2_02CC53CA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC53CA mov eax, dword ptr fs:[00000030h] 14_2_02CC53CA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h] 14_2_02C703E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h] 14_2_02C703E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h] 14_2_02C703E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h] 14_2_02C703E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h] 14_2_02C703E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h] 14_2_02C703E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C6DBE9 mov eax, dword ptr fs:[00000030h] 14_2_02C6DBE9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C837F5 mov eax, dword ptr fs:[00000030h] 14_2_02C837F5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C51B8F mov eax, dword ptr fs:[00000030h] 14_2_02C51B8F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C51B8F mov eax, dword ptr fs:[00000030h] 14_2_02C51B8F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CFD380 mov ecx, dword ptr fs:[00000030h] 14_2_02CFD380
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C72397 mov eax, dword ptr fs:[00000030h] 14_2_02C72397
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C58794 mov eax, dword ptr fs:[00000030h] 14_2_02C58794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7B390 mov eax, dword ptr fs:[00000030h] 14_2_02C7B390
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC7794 mov eax, dword ptr fs:[00000030h] 14_2_02CC7794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC7794 mov eax, dword ptr fs:[00000030h] 14_2_02CC7794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC7794 mov eax, dword ptr fs:[00000030h] 14_2_02CC7794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D0138A mov eax, dword ptr fs:[00000030h] 14_2_02D0138A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C74BAD mov eax, dword ptr fs:[00000030h] 14_2_02C74BAD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C74BAD mov eax, dword ptr fs:[00000030h] 14_2_02C74BAD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C74BAD mov eax, dword ptr fs:[00000030h] 14_2_02C74BAD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D15BA5 mov eax, dword ptr fs:[00000030h] 14_2_02D15BA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C4DB40 mov eax, dword ptr fs:[00000030h] 14_2_02C4DB40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C5EF40 mov eax, dword ptr fs:[00000030h] 14_2_02C5EF40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D18B58 mov eax, dword ptr fs:[00000030h] 14_2_02D18B58
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C4F358 mov eax, dword ptr fs:[00000030h] 14_2_02C4F358
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C4DB60 mov ecx, dword ptr fs:[00000030h] 14_2_02C4DB60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C5FF60 mov eax, dword ptr fs:[00000030h] 14_2_02C5FF60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D18F6A mov eax, dword ptr fs:[00000030h] 14_2_02D18F6A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C73B7A mov eax, dword ptr fs:[00000030h] 14_2_02C73B7A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C73B7A mov eax, dword ptr fs:[00000030h] 14_2_02C73B7A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7A70E mov eax, dword ptr fs:[00000030h] 14_2_02C7A70E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7A70E mov eax, dword ptr fs:[00000030h] 14_2_02C7A70E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D0131B mov eax, dword ptr fs:[00000030h] 14_2_02D0131B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C6F716 mov eax, dword ptr fs:[00000030h] 14_2_02C6F716
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D1070D mov eax, dword ptr fs:[00000030h] 14_2_02D1070D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D1070D mov eax, dword ptr fs:[00000030h] 14_2_02D1070D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CDFF10 mov eax, dword ptr fs:[00000030h] 14_2_02CDFF10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CDFF10 mov eax, dword ptr fs:[00000030h] 14_2_02CDFF10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C44F2E mov eax, dword ptr fs:[00000030h] 14_2_02C44F2E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C44F2E mov eax, dword ptr fs:[00000030h] 14_2_02C44F2E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7E730 mov eax, dword ptr fs:[00000030h] 14_2_02C7E730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D18CD6 mov eax, dword ptr fs:[00000030h] 14_2_02D18CD6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CDB8D0 mov eax, dword ptr fs:[00000030h] 14_2_02CDB8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CDB8D0 mov ecx, dword ptr fs:[00000030h] 14_2_02CDB8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CDB8D0 mov eax, dword ptr fs:[00000030h] 14_2_02CDB8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CDB8D0 mov eax, dword ptr fs:[00000030h] 14_2_02CDB8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CDB8D0 mov eax, dword ptr fs:[00000030h] 14_2_02CDB8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CDB8D0 mov eax, dword ptr fs:[00000030h] 14_2_02CDB8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C458EC mov eax, dword ptr fs:[00000030h] 14_2_02C458EC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D014FB mov eax, dword ptr fs:[00000030h] 14_2_02D014FB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC6CF0 mov eax, dword ptr fs:[00000030h] 14_2_02CC6CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC6CF0 mov eax, dword ptr fs:[00000030h] 14_2_02CC6CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC6CF0 mov eax, dword ptr fs:[00000030h] 14_2_02CC6CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C49080 mov eax, dword ptr fs:[00000030h] 14_2_02C49080
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC3884 mov eax, dword ptr fs:[00000030h] 14_2_02CC3884
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC3884 mov eax, dword ptr fs:[00000030h] 14_2_02CC3884
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C5849B mov eax, dword ptr fs:[00000030h] 14_2_02C5849B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C890AF mov eax, dword ptr fs:[00000030h] 14_2_02C890AF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h] 14_2_02C720A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h] 14_2_02C720A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h] 14_2_02C720A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h] 14_2_02C720A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h] 14_2_02C720A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h] 14_2_02C720A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7F0BF mov ecx, dword ptr fs:[00000030h] 14_2_02C7F0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7F0BF mov eax, dword ptr fs:[00000030h] 14_2_02C7F0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7F0BF mov eax, dword ptr fs:[00000030h] 14_2_02C7F0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7A44B mov eax, dword ptr fs:[00000030h] 14_2_02C7A44B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C60050 mov eax, dword ptr fs:[00000030h] 14_2_02C60050
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C60050 mov eax, dword ptr fs:[00000030h] 14_2_02C60050
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CDC450 mov eax, dword ptr fs:[00000030h] 14_2_02CDC450
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CDC450 mov eax, dword ptr fs:[00000030h] 14_2_02CDC450
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D02073 mov eax, dword ptr fs:[00000030h] 14_2_02D02073
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D11074 mov eax, dword ptr fs:[00000030h] 14_2_02D11074
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C6746D mov eax, dword ptr fs:[00000030h] 14_2_02C6746D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D14015 mov eax, dword ptr fs:[00000030h] 14_2_02D14015
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D14015 mov eax, dword ptr fs:[00000030h] 14_2_02D14015
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC6C0A mov eax, dword ptr fs:[00000030h] 14_2_02CC6C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC6C0A mov eax, dword ptr fs:[00000030h] 14_2_02CC6C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC6C0A mov eax, dword ptr fs:[00000030h] 14_2_02CC6C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC6C0A mov eax, dword ptr fs:[00000030h] 14_2_02CC6C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h] 14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h] 14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h] 14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h] 14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h] 14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h] 14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h] 14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h] 14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h] 14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h] 14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h] 14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h] 14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h] 14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h] 14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC7016 mov eax, dword ptr fs:[00000030h] 14_2_02CC7016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC7016 mov eax, dword ptr fs:[00000030h] 14_2_02CC7016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC7016 mov eax, dword ptr fs:[00000030h] 14_2_02CC7016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D1740D mov eax, dword ptr fs:[00000030h] 14_2_02D1740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D1740D mov eax, dword ptr fs:[00000030h] 14_2_02D1740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02D1740D mov eax, dword ptr fs:[00000030h] 14_2_02D1740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7002D mov eax, dword ptr fs:[00000030h] 14_2_02C7002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7002D mov eax, dword ptr fs:[00000030h] 14_2_02C7002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7002D mov eax, dword ptr fs:[00000030h] 14_2_02C7002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7002D mov eax, dword ptr fs:[00000030h] 14_2_02C7002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7002D mov eax, dword ptr fs:[00000030h] 14_2_02C7002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C7BC2C mov eax, dword ptr fs:[00000030h] 14_2_02C7BC2C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C5B02A mov eax, dword ptr fs:[00000030h] 14_2_02C5B02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C5B02A mov eax, dword ptr fs:[00000030h] 14_2_02C5B02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C5B02A mov eax, dword ptr fs:[00000030h] 14_2_02C5B02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C5B02A mov eax, dword ptr fs:[00000030h] 14_2_02C5B02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC6DC9 mov eax, dword ptr fs:[00000030h] 14_2_02CC6DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC6DC9 mov eax, dword ptr fs:[00000030h] 14_2_02CC6DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC6DC9 mov eax, dword ptr fs:[00000030h] 14_2_02CC6DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC6DC9 mov ecx, dword ptr fs:[00000030h] 14_2_02CC6DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC6DC9 mov eax, dword ptr fs:[00000030h] 14_2_02CC6DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02CC6DC9 mov eax, dword ptr fs:[00000030h] 14_2_02CC6DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C4B1E1 mov eax, dword ptr fs:[00000030h] 14_2_02C4B1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C4B1E1 mov eax, dword ptr fs:[00000030h] 14_2_02C4B1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_02C4B1E1 mov eax, dword ptr fs:[00000030h] 14_2_02C4B1E1
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 3_2_01119910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_01119910
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001C7310 SetUnhandledExceptionFilter, 14_2_001C7310
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001C6FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 14_2_001C6FE3

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\explorer.exe Domain query: www.mercydm.mobi
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 1B0000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 97B008 Jump to behavior
Source: U8RYIwIvfK.exe, u200b???????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 0.0.U8RYIwIvfK.exe.240000.0.unpack, u200b???????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread register set: target process: 3452 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread register set: target process: 3452 Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" Jump to behavior
Source: explorer.exe, 00000004.00000000.342557160.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.271403938.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.316353036.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: XProgram Manager
Source: explorer.exe, 00000004.00000000.342557160.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.326808107.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.346736658.0000000005D90000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.342557160.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.271403938.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.315487552.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.342557160.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.271403938.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.316353036.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Queries volume information: C:\Users\user\Desktop\U8RYIwIvfK.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 14_2_001B96A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc, 14_2_001B5AEF
Source: C:\Windows\SysWOW64\cmd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 14_2_001C3F80
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001D3C49 GetSystemTime,SystemTimeToFileTime, 14_2_001D3C49
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_001B443C GetVersion, 14_2_001B443C

Stealing of Sensitive Information

barindex
Source: Yara match File source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs