Loading ...

Play interactive tourEdit tour

Analysis Report oqTdpbN5rF.exe

Overview

General Information

Sample Name:oqTdpbN5rF.exe
Analysis ID:321100
MD5:429bba6dbe159c300679509be3085665
SHA1:f79f58bc3142b59d0d8669595a01770bdf5486ff
SHA256:04274b027d3bd09ec0d7b58ff5af64aa06e626668995cb5ef6d7fad939bc6c33
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • oqTdpbN5rF.exe (PID: 796 cmdline: 'C:\Users\user\Desktop\oqTdpbN5rF.exe' MD5: 429BBA6DBE159C300679509BE3085665)
    • RegAsm.exe (PID: 684 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 1664 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 6120 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 5656 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 816 cmdline: 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\user\Desktop\oqTdpbN5rF.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • choice.exe (PID: 6780 cmdline: choice /C Y /N /D Y /T 3 MD5: 626F7BE965216FEAC7A3C0B4D3751BA2)
    • oqTdpbN5rF.exe (PID: 6300 cmdline: 'C:\Users\user\Desktop\oqTdpbN5rF.exe' MD5: 429BBA6DBE159C300679509BE3085665)
      • RegAsm.exe (PID: 6668 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • cmd.exe (PID: 7096 cmdline: 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\user\Desktop\oqTdpbN5rF.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • choice.exe (PID: 1744 cmdline: choice /C Y /N /D Y /T 3 MD5: 626F7BE965216FEAC7A3C0B4D3751BA2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xc488:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xc6f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x18215:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x17d01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x18317:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1848f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xd10a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x16f7c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xde03:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1deb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1eeba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x1af99:$sqlite3step: 68 34 1C 7B E1
    • 0x1b0ac:$sqlite3step: 68 34 1C 7B E1
    • 0x1afc8:$sqlite3text: 68 38 2A 90 C5
    • 0x1b0ed:$sqlite3text: 68 38 2A 90 C5
    • 0x1afdb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x1b103:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0xc488:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xc6f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x18215:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x17d01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x18317:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1848f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xd10a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x16f7c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xde03:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1deb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1eeba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 46 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.RegAsm.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.RegAsm.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x183f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1850c:$sqlite3step: 68 34 1C 7B E1
        • 0x18428:$sqlite3text: 68 38 2A 90 C5
        • 0x1854d:$sqlite3text: 68 38 2A 90 C5
        • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
        9.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          9.2.RegAsm.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: oqTdpbN5rF.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: oqTdpbN5rF.exeVirustotal: Detection: 36%Perma Link
          Source: oqTdpbN5rF.exeReversingLabs: Detection: 33%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: oqTdpbN5rF.exeJoe Sandbox ML: detected
          Source: 2.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F31DC FindFirstFileW,FindNextFileW,FindClose,15_2_011F31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,15_2_011D85EA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,15_2_011E245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,15_2_011DB89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,15_2_011E68BA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then pop esi2_2_00417295
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then pop esi2_2_004172A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then pop esi9_2_00417295
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then pop esi9_2_004172A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi13_2_03017295
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi13_2_030172A5

          Networking:

          barindex
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=nwMujlop9k/e7RKxDV6F2DOpfZu+NAvKA+XHz2bBew91D/bKU35KPyupQFDW23mxRXA2 HTTP/1.1Host: www.bikininbodymommy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=F7U1ZxCjw0QXGNF8VmzdEObB3hNcDi5za+FuEorWYUt6zFjVN/aD/y1X6yN+u1VrnSag HTTP/1.1Host: www.buyiprod.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 81.17.18.197 81.17.18.197
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: Joe Sandbox ViewASN Name: PLI-ASCH PLI-ASCH
          Source: global trafficHTTP traffic detected: GET /kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=nwMujlop9k/e7RKxDV6F2DOpfZu+NAvKA+XHz2bBew91D/bKU35KPyupQFDW23mxRXA2 HTTP/1.1Host: www.bikininbodymommy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=F7U1ZxCjw0QXGNF8VmzdEObB3hNcDi5za+FuEorWYUt6zFjVN/aD/y1X6yN+u1VrnSag HTTP/1.1Host: www.buyiprod.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.bikininbodymommy.com
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.684955436.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419D50 NtCreateFile,2_2_00419D50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419E00 NtReadFile,2_2_00419E00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419E80 NtClose,2_2_00419E80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419F30 NtAllocateVirtualMemory,2_2_00419F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419D4B NtCreateFile,2_2_00419D4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419DFE NtReadFile,2_2_00419DFE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419DA4 NtCreateFile,2_2_00419DA4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419E7A NtClose,2_2_00419E7A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419F2B NtAllocateVirtualMemory,2_2_00419F2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_03079A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079A20 NtResumeThread,LdrInitializeThunk,2_2_03079A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079A50 NtCreateFile,LdrInitializeThunk,2_2_03079A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_03079910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030799A0 NtCreateSection,LdrInitializeThunk,2_2_030799A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079840 NtDelayExecution,LdrInitializeThunk,2_2_03079840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079860 NtQuerySystemInformation,LdrInitializeThunk,2_2_03079860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030798F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_030798F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079710 NtQueryInformationToken,LdrInitializeThunk,2_2_03079710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079780 NtMapViewOfSection,LdrInitializeThunk,2_2_03079780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030797A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_030797A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_03079660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030796E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_030796E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079540 NtReadFile,LdrInitializeThunk,2_2_03079540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030795D0 NtClose,LdrInitializeThunk,2_2_030795D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079B00 NtSetValueKey,2_2_03079B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0307A3B0 NtGetContextThread,2_2_0307A3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079A10 NtQuerySection,2_2_03079A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079A80 NtOpenDirectoryObject,2_2_03079A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079950 NtQueueApcThread,2_2_03079950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030799D0 NtCreateProcessEx,2_2_030799D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079820 NtEnumerateKey,2_2_03079820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0307B040 NtSuspendThread,2_2_0307B040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030798A0 NtWriteVirtualMemory,2_2_030798A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0307A710 NtOpenProcessToken,2_2_0307A710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079730 NtQueryVirtualMemory,2_2_03079730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079760 NtOpenProcess,2_2_03079760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079770 NtSetInformationFile,2_2_03079770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0307A770 NtOpenThread,2_2_0307A770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079FE0 NtCreateMutant,2_2_03079FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079610 NtEnumerateValueKey,2_2_03079610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079650 NtQueryValueKey,2_2_03079650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079670 NtQueryInformationProcess,2_2_03079670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030796D0 NtCreateKey,2_2_030796D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079520 NtWaitForSingleObject,2_2_03079520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0307AD30 NtSetContextThread,2_2_0307AD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03079560 NtWriteFile,2_2_03079560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030795F0 NtQueryInformationFile,2_2_030795F0
          Source: C:\Users\user\Desktop\oqTdpbN5rF.exeCode function: 7_2_05731C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,7_2_05731C09
          Source: C:\Users\user\Desktop\oqTdpbN5rF.exeCode function: 7_2_057300AD NtOpenSection,NtMapViewOfSection,7_2_057300AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419D50 NtCreateFile,9_2_00419D50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419E00 NtReadFile,9_2_00419E00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419E80 NtClose,9_2_00419E80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419F30 NtAllocateVirtualMemory,9_2_00419F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419D4B NtCreateFile,9_2_00419D4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419DFE NtReadFile,9_2_00419DFE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419DA4 NtCreateFile,9_2_00419DA4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419E7A NtClose,9_2_00419E7A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419F2B NtAllocateVirtualMemory,9_2_00419F2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9A50 NtCreateFile,LdrInitializeThunk,9_2_027D9A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9A20 NtResumeThread,LdrInitializeThunk,9_2_027D9A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9A00 NtProtectVirtualMemory,LdrInitializeThunk,9_2_027D9A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9860 NtQuerySystemInformation,LdrInitializeThunk,9_2_027D9860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9840 NtDelayExecution,LdrInitializeThunk,9_2_027D9840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D98F0 NtReadVirtualMemory,LdrInitializeThunk,9_2_027D98F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_027D9910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D99A0 NtCreateSection,LdrInitializeThunk,9_2_027D99A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_027D9660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D96E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_027D96E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9710 NtQueryInformationToken,LdrInitializeThunk,9_2_027D9710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D97A0 NtUnmapViewOfSection,LdrInitializeThunk,9_2_027D97A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9780 NtMapViewOfSection,LdrInitializeThunk,9_2_027D9780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9540 NtReadFile,LdrInitializeThunk,9_2_027D9540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D95D0 NtClose,LdrInitializeThunk,9_2_027D95D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9A10 NtQuerySection,9_2_027D9A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9A80 NtOpenDirectoryObject,9_2_027D9A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9B00 NtSetValueKey,9_2_027D9B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027DA3B0 NtGetContextThread,9_2_027DA3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027DB040 NtSuspendThread,9_2_027DB040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9820 NtEnumerateKey,9_2_027D9820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D98A0 NtWriteVirtualMemory,9_2_027D98A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9950 NtQueueApcThread,9_2_027D9950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D99D0 NtCreateProcessEx,9_2_027D99D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9670 NtQueryInformationProcess,9_2_027D9670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9650 NtQueryValueKey,9_2_027D9650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9610 NtEnumerateValueKey,9_2_027D9610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D96D0 NtCreateKey,9_2_027D96D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9770 NtSetInformationFile,9_2_027D9770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027DA770 NtOpenThread,9_2_027DA770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9760 NtOpenProcess,9_2_027D9760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9730 NtQueryVirtualMemory,9_2_027D9730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027DA710 NtOpenProcessToken,9_2_027DA710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9FE0 NtCreateMutant,9_2_027D9FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9560 NtWriteFile,9_2_027D9560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027DAD30 NtSetContextThread,9_2_027DAD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D9520 NtWaitForSingleObject,9_2_027D9520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027D95F0 NtQueryInformationFile,9_2_027D95F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_03019F30 NtAllocateVirtualMemory,13_2_03019F30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_03019E00 NtReadFile,13_2_03019E00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_03019E80 NtClose,13_2_03019E80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_03019D50 NtCreateFile,13_2_03019D50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_03019F2B NtAllocateVirtualMemory,13_2_03019F2B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_03019E7A NtClose,13_2_03019E7A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_03019D4B NtCreateFile,13_2_03019D4B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_03019DA4 NtCreateFile,13_2_03019DA4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_03019DFE NtReadFile,13_2_03019DFE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,15_2_011F6D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011FB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,15_2_011FB5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DB42E NtOpenThreadToken,NtOpenProcessToken,NtClose,15_2_011DB42E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,15_2_011D84BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,15_2_011D58A4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DB4C0 NtQueryInformationToken,15_2_011DB4C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DB4F8 NtQueryInformationToken,NtQueryInformationToken,15_2_011DB4F8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,15_2_011D83F2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F9AB4 NtSetInformationFile,15_2_011F9AB4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_03CD9910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9860 NtQuerySystemInformation,LdrInitializeThunk,15_2_03CD9860
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9FE0 NtCreateMutant,LdrInitializeThunk,15_2_03CD9FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD96E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_03CD96E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CDA3B0 NtGetContextThread,15_2_03CDA3B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9B00 NtSetValueKey,15_2_03CD9B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9A80 NtOpenDirectoryObject,15_2_03CD9A80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9A50 NtCreateFile,15_2_03CD9A50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9A00 NtProtectVirtualMemory,15_2_03CD9A00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9A10 NtQuerySection,15_2_03CD9A10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9A20 NtResumeThread,15_2_03CD9A20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD99D0 NtCreateProcessEx,15_2_03CD99D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD99A0 NtCreateSection,15_2_03CD99A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9950 NtQueueApcThread,15_2_03CD9950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD98F0 NtReadVirtualMemory,15_2_03CD98F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD98A0 NtWriteVirtualMemory,15_2_03CD98A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CDB040 NtSuspendThread,15_2_03CDB040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9840 NtDelayExecution,15_2_03CD9840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9820 NtEnumerateKey,15_2_03CD9820
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9780 NtMapViewOfSection,15_2_03CD9780
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD97A0 NtUnmapViewOfSection,15_2_03CD97A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9760 NtOpenProcess,15_2_03CD9760
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CDA770 NtOpenThread,15_2_03CDA770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9770 NtSetInformationFile,15_2_03CD9770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9710 NtQueryInformationToken,15_2_03CD9710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CDA710 NtOpenProcessToken,15_2_03CDA710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9730 NtQueryVirtualMemory,15_2_03CD9730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD96D0 NtCreateKey,15_2_03CD96D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9650 NtQueryValueKey,15_2_03CD9650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9660 NtAllocateVirtualMemory,15_2_03CD9660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9670 NtQueryInformationProcess,15_2_03CD9670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9610 NtEnumerateValueKey,15_2_03CD9610
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD95D0 NtClose,15_2_03CD95D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD95F0 NtQueryInformationFile,15_2_03CD95F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9540 NtReadFile,15_2_03CD9540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9560 NtWriteFile,15_2_03CD9560
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CD9520 NtWaitForSingleObject,15_2_03CD9520
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CDAD30 NtSetContextThread,15_2_03CDAD30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E6550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,15_2_011E6550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,15_2_011E374E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041D9062_2_0041D906
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041DB322_2_0041DB32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041DBA52_2_0041DBA5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E5ED2_2_0041E5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041DE552_2_0041DE55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409E2C2_2_00409E2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409E302_2_00409E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041DF6E2_2_0041DF6E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041D7812_2_0041D781
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041CF932_2_0041CF93
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03102B282_2_03102B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0306EBB02_2_0306EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030FDBD22_2_030FDBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031022AE2_2_031022AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303F9002_2_0303F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030541202_2_03054120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030F10022_2_030F1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0310E8242_2_0310E824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304B0902_2_0304B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030620A02_2_030620A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031020A82_2_031020A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031028EC2_2_031028EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03101FF12_2_03101FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030FD6162_2_030FD616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03056E302_2_03056E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03102EF72_2_03102EF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03102D072_2_03102D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03030D202_2_03030D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03101D552_2_03101D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030625812_2_03062581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031025DD2_2_031025DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304D5E02_2_0304D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304841F2_2_0304841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030FD4662_2_030FD466
          Source: C:\Users\user\Desktop\oqTdpbN5rF.exeCode function: 7_2_009BB6927_2_009BB692
          Source: C:\Users\user\Desktop\oqTdpbN5rF.exeCode function: 7_2_009BB70D7_2_009BB70D
          Source: C:\Users\user\Desktop\oqTdpbN5rF.exeCode function: 7_2_009BAAA27_2_009BAAA2
          Source: C:\Users\user\Desktop\oqTdpbN5rF.exeCode function: 7_2_009BB6E67_2_009BB6E6
          Source: C:\Users\user\Desktop\oqTdpbN5rF.exeCode function: 7_2_010D04E17_2_010D04E1
          Source: C:\Users\user\Desktop\oqTdpbN5rF.exeCode function: 7_2_010D04F07_2_010D04F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004010309_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041D9069_2_0041D906
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041DB329_2_0041DB32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041DBA59_2_0041DBA5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041E5ED9_2_0041E5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00402D909_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041DE559_2_0041DE55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00409E2C9_2_00409E2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00409E309_2_00409E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041DF6E9_2_0041DF6E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041D7819_2_0041D781
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041CF939_2_0041CF93
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00402FB09_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_028622AE9_2_028622AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0285DBD29_2_0285DBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02862B289_2_02862B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027CEBB09_2_027CEBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_028620A89_2_028620A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_028628EC9_2_028628EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_028510029_2_02851002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027C20A09_2_027C20A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027AB0909_2_027AB090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027B41209_2_027B4120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0279F9009_2_0279F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027B6E309_2_027B6E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02862EF79_2_02862EF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0285D6169_2_0285D616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02861FF19_2_02861FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027A841F9_2_027A841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0285D4669_2_0285D466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02790D209_2_02790D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_028625DD9_2_028625DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02862D079_2_02862D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027AD5E09_2_027AD5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02861D559_2_02861D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_027C25819_2_027C2581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_0301DF6E13_2_0301DF6E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_0301D78113_2_0301D781
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_0301CF9313_2_0301CF93
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_03002FB013_2_03002FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_03009E2C13_2_03009E2C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_03009E3013_2_03009E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_0301DE5513_2_0301DE55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_03002D9013_2_03002D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_0301E5ED13_2_0301E5ED
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F350615_2_011F3506
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E655015_2_011E6550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E196915_2_011E1969
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D719015_2_011D7190
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F31DC15_2_011F31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DD80315_2_011DD803
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DE04015_2_011DE040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D9CF015_2_011D9CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F5CEA15_2_011F5CEA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D48E615_2_011D48E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DCB4815_2_011DCB48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E5FC815_2_011E5FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F6FF015_2_011F6FF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DFA3015_2_011DFA30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D522615_2_011D5226
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D5E7015_2_011D5E70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D8AD715_2_011D8AD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03D5DBD215_2_03D5DBD2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03D503DA15_2_03D503DA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03CCABD815_2_03CCABD8
          Source: C:\Windows\