Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://fontfabrik.com |
Source: explorer.exe, 00000005.00000000.666867795.0000000002B50000.00000002.00000001.sdmp |
String found in binary or memory: http://www.%s.comPA |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.carterandcone.coml |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers/? |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers8 |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers? |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designersG |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.fonts.com |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.founder.com.cn/cn |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.founder.com.cn/cn/bThe |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.founder.com.cn/cn/cThe |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.galapagosdesign.com/DPlease |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.goodfont.co.kr |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.sajatypeworks.com |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.sakkal.com |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.sandoll.co.kr |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.tiro.com |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.typography.netD |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.urwpp.deDPlease |
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp |
String found in binary or memory: http://www.zhongyicts.com.cn |
Source: cscript.exe, 00000009.00000002.918279591.0000000004E02000.00000004.00000001.sdmp |
String found in binary or memory: https://www.builtbydawn.com/dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElP |
Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe |
Code function: 2_2_004181D0 NtCreateFile, |
2_2_004181D0 |
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe |
Code function: 2_2_00418280 NtReadFile, |
2_2_00418280 |
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe |
Code function: 2_2_00418300 NtClose, |
2_2_00418300 |
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe |
Code function: 2_2_004183B0 NtAllocateVirtualMemory, |
2_2_004183B0 |
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe |
Code function: 2_2_00418222 NtCreateFile, |
2_2_00418222 |
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe |
Code function: 2_2_004183AA NtAllocateVirtualMemory, |
2_2_004183AA |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9860 NtQuerySystemInformation,LdrInitializeThunk, |
9_2_047B9860 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9840 NtDelayExecution,LdrInitializeThunk, |
9_2_047B9840 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9540 NtReadFile,LdrInitializeThunk, |
9_2_047B9540 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9910 NtAdjustPrivilegesToken,LdrInitializeThunk, |
9_2_047B9910 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B95D0 NtClose,LdrInitializeThunk, |
9_2_047B95D0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B99A0 NtCreateSection,LdrInitializeThunk, |
9_2_047B99A0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9660 NtAllocateVirtualMemory,LdrInitializeThunk, |
9_2_047B9660 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9A50 NtCreateFile,LdrInitializeThunk, |
9_2_047B9A50 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9650 NtQueryValueKey,LdrInitializeThunk, |
9_2_047B9650 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B96E0 NtFreeVirtualMemory,LdrInitializeThunk, |
9_2_047B96E0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B96D0 NtCreateKey,LdrInitializeThunk, |
9_2_047B96D0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9710 NtQueryInformationToken,LdrInitializeThunk, |
9_2_047B9710 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9FE0 NtCreateMutant,LdrInitializeThunk, |
9_2_047B9FE0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9780 NtMapViewOfSection,LdrInitializeThunk, |
9_2_047B9780 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047BB040 NtSuspendThread, |
9_2_047BB040 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9820 NtEnumerateKey, |
9_2_047B9820 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B98F0 NtReadVirtualMemory, |
9_2_047B98F0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B98A0 NtWriteVirtualMemory, |
9_2_047B98A0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9560 NtWriteFile, |
9_2_047B9560 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9950 NtQueueApcThread, |
9_2_047B9950 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047BAD30 NtSetContextThread, |
9_2_047BAD30 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9520 NtWaitForSingleObject, |
9_2_047B9520 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B95F0 NtQueryInformationFile, |
9_2_047B95F0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B99D0 NtCreateProcessEx, |
9_2_047B99D0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9670 NtQueryInformationProcess, |
9_2_047B9670 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9A20 NtResumeThread, |
9_2_047B9A20 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9610 NtEnumerateValueKey, |
9_2_047B9610 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9A10 NtQuerySection, |
9_2_047B9A10 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9A00 NtProtectVirtualMemory, |
9_2_047B9A00 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9A80 NtOpenDirectoryObject, |
9_2_047B9A80 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047BA770 NtOpenThread, |
9_2_047BA770 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9770 NtSetInformationFile, |
9_2_047B9770 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9760 NtOpenProcess, |
9_2_047B9760 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9730 NtQueryVirtualMemory, |
9_2_047B9730 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047BA710 NtOpenProcessToken, |
9_2_047BA710 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B9B00 NtSetValueKey, |
9_2_047B9B00 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047BA3B0 NtGetContextThread, |
9_2_047BA3B0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B97A0 NtUnmapViewOfSection, |
9_2_047B97A0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_02788280 NtReadFile, |
9_2_02788280 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_02788300 NtClose, |
9_2_02788300 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_027883B0 NtAllocateVirtualMemory, |
9_2_027883B0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_027881D0 NtCreateFile, |
9_2_027881D0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_02788222 NtCreateFile, |
9_2_02788222 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_027883AA NtAllocateVirtualMemory, |
9_2_027883AA |
Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe |
Code function: 1_2_020706DA mov eax, dword ptr fs:[00000030h] |
1_2_020706DA |
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe |
Code function: 1_2_0207099F mov eax, dword ptr fs:[00000030h] |
1_2_0207099F |
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe |
Code function: 1_2_020709DE mov eax, dword ptr fs:[00000030h] |
1_2_020709DE |
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe |
Code function: 1_2_02070A1C mov eax, dword ptr fs:[00000030h] |
1_2_02070A1C |
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe |
Code function: 1_2_020708EE mov eax, dword ptr fs:[00000030h] |
1_2_020708EE |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0479746D mov eax, dword ptr fs:[00000030h] |
9_2_0479746D |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04790050 mov eax, dword ptr fs:[00000030h] |
9_2_04790050 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04790050 mov eax, dword ptr fs:[00000030h] |
9_2_04790050 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h] |
9_2_0480B8D0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0480B8D0 mov ecx, dword ptr fs:[00000030h] |
9_2_0480B8D0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h] |
9_2_0480B8D0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h] |
9_2_0480B8D0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h] |
9_2_0480B8D0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h] |
9_2_0480B8D0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04848CD6 mov eax, dword ptr fs:[00000030h] |
9_2_04848CD6 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h] |
9_2_0478B02A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h] |
9_2_0478B02A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h] |
9_2_0478B02A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h] |
9_2_0478B02A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047ABC2C mov eax, dword ptr fs:[00000030h] |
9_2_047ABC2C |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F7016 mov eax, dword ptr fs:[00000030h] |
9_2_047F7016 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F7016 mov eax, dword ptr fs:[00000030h] |
9_2_047F7016 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F7016 mov eax, dword ptr fs:[00000030h] |
9_2_047F7016 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h] |
9_2_047F6C0A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h] |
9_2_047F6C0A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h] |
9_2_047F6C0A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h] |
9_2_047F6C0A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_048314FB mov eax, dword ptr fs:[00000030h] |
9_2_048314FB |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] |
9_2_04831C06 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] |
9_2_04831C06 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] |
9_2_04831C06 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] |
9_2_04831C06 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] |
9_2_04831C06 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] |
9_2_04831C06 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] |
9_2_04831C06 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] |
9_2_04831C06 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] |
9_2_04831C06 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] |
9_2_04831C06 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] |
9_2_04831C06 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] |
9_2_04831C06 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] |
9_2_04831C06 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] |
9_2_04831C06 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0484740D mov eax, dword ptr fs:[00000030h] |
9_2_0484740D |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0484740D mov eax, dword ptr fs:[00000030h] |
9_2_0484740D |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0484740D mov eax, dword ptr fs:[00000030h] |
9_2_0484740D |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F6CF0 mov eax, dword ptr fs:[00000030h] |
9_2_047F6CF0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F6CF0 mov eax, dword ptr fs:[00000030h] |
9_2_047F6CF0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F6CF0 mov eax, dword ptr fs:[00000030h] |
9_2_047F6CF0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04844015 mov eax, dword ptr fs:[00000030h] |
9_2_04844015 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04844015 mov eax, dword ptr fs:[00000030h] |
9_2_04844015 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047AF0BF mov ecx, dword ptr fs:[00000030h] |
9_2_047AF0BF |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047AF0BF mov eax, dword ptr fs:[00000030h] |
9_2_047AF0BF |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047AF0BF mov eax, dword ptr fs:[00000030h] |
9_2_047AF0BF |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0480C450 mov eax, dword ptr fs:[00000030h] |
9_2_0480C450 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0480C450 mov eax, dword ptr fs:[00000030h] |
9_2_0480C450 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B90AF mov eax, dword ptr fs:[00000030h] |
9_2_047B90AF |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04832073 mov eax, dword ptr fs:[00000030h] |
9_2_04832073 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04841074 mov eax, dword ptr fs:[00000030h] |
9_2_04841074 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04779080 mov eax, dword ptr fs:[00000030h] |
9_2_04779080 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F3884 mov eax, dword ptr fs:[00000030h] |
9_2_047F3884 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F3884 mov eax, dword ptr fs:[00000030h] |
9_2_047F3884 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0477B171 mov eax, dword ptr fs:[00000030h] |
9_2_0477B171 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0477B171 mov eax, dword ptr fs:[00000030h] |
9_2_0477B171 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0479C577 mov eax, dword ptr fs:[00000030h] |
9_2_0479C577 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0479C577 mov eax, dword ptr fs:[00000030h] |
9_2_0479C577 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0477C962 mov eax, dword ptr fs:[00000030h] |
9_2_0477C962 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04797D50 mov eax, dword ptr fs:[00000030h] |
9_2_04797D50 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B3D43 mov eax, dword ptr fs:[00000030h] |
9_2_047B3D43 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0479B944 mov eax, dword ptr fs:[00000030h] |
9_2_0479B944 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0479B944 mov eax, dword ptr fs:[00000030h] |
9_2_0479B944 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F3540 mov eax, dword ptr fs:[00000030h] |
9_2_047F3540 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047A513A mov eax, dword ptr fs:[00000030h] |
9_2_047A513A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047A513A mov eax, dword ptr fs:[00000030h] |
9_2_047A513A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047A4D3B mov eax, dword ptr fs:[00000030h] |
9_2_047A4D3B |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047A4D3B mov eax, dword ptr fs:[00000030h] |
9_2_047A4D3B |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047A4D3B mov eax, dword ptr fs:[00000030h] |
9_2_047A4D3B |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0477AD30 mov eax, dword ptr fs:[00000030h] |
9_2_0477AD30 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047FA537 mov eax, dword ptr fs:[00000030h] |
9_2_047FA537 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] |
9_2_04783D34 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] |
9_2_04783D34 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] |
9_2_04783D34 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] |
9_2_04783D34 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] |
9_2_04783D34 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] |
9_2_04783D34 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] |
9_2_04783D34 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] |
9_2_04783D34 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] |
9_2_04783D34 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] |
9_2_04783D34 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] |
9_2_04783D34 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] |
9_2_04783D34 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] |
9_2_04783D34 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04794120 mov eax, dword ptr fs:[00000030h] |
9_2_04794120 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04794120 mov eax, dword ptr fs:[00000030h] |
9_2_04794120 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04794120 mov eax, dword ptr fs:[00000030h] |
9_2_04794120 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04794120 mov eax, dword ptr fs:[00000030h] |
9_2_04794120 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04794120 mov ecx, dword ptr fs:[00000030h] |
9_2_04794120 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_048041E8 mov eax, dword ptr fs:[00000030h] |
9_2_048041E8 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04828DF1 mov eax, dword ptr fs:[00000030h] |
9_2_04828DF1 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04779100 mov eax, dword ptr fs:[00000030h] |
9_2_04779100 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04779100 mov eax, dword ptr fs:[00000030h] |
9_2_04779100 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04779100 mov eax, dword ptr fs:[00000030h] |
9_2_04779100 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0477B1E1 mov eax, dword ptr fs:[00000030h] |
9_2_0477B1E1 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0477B1E1 mov eax, dword ptr fs:[00000030h] |
9_2_0477B1E1 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0477B1E1 mov eax, dword ptr fs:[00000030h] |
9_2_0477B1E1 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0478D5E0 mov eax, dword ptr fs:[00000030h] |
9_2_0478D5E0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0478D5E0 mov eax, dword ptr fs:[00000030h] |
9_2_0478D5E0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04848D34 mov eax, dword ptr fs:[00000030h] |
9_2_04848D34 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047A35A1 mov eax, dword ptr fs:[00000030h] |
9_2_047A35A1 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047AFD9B mov eax, dword ptr fs:[00000030h] |
9_2_047AFD9B |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047AFD9B mov eax, dword ptr fs:[00000030h] |
9_2_047AFD9B |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0479C182 mov eax, dword ptr fs:[00000030h] |
9_2_0479C182 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h] |
9_2_04772D8A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h] |
9_2_04772D8A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h] |
9_2_04772D8A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h] |
9_2_04772D8A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h] |
9_2_04772D8A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047AA185 mov eax, dword ptr fs:[00000030h] |
9_2_047AA185 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B927A mov eax, dword ptr fs:[00000030h] |
9_2_047B927A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0480FE87 mov eax, dword ptr fs:[00000030h] |
9_2_0480FE87 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h] |
9_2_0479AE73 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h] |
9_2_0479AE73 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h] |
9_2_0479AE73 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h] |
9_2_0479AE73 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h] |
9_2_0479AE73 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0478766D mov eax, dword ptr fs:[00000030h] |
9_2_0478766D |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04840EA5 mov eax, dword ptr fs:[00000030h] |
9_2_04840EA5 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04840EA5 mov eax, dword ptr fs:[00000030h] |
9_2_04840EA5 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04840EA5 mov eax, dword ptr fs:[00000030h] |
9_2_04840EA5 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04779240 mov eax, dword ptr fs:[00000030h] |
9_2_04779240 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04779240 mov eax, dword ptr fs:[00000030h] |
9_2_04779240 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04779240 mov eax, dword ptr fs:[00000030h] |
9_2_04779240 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04779240 mov eax, dword ptr fs:[00000030h] |
9_2_04779240 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h] |
9_2_04787E41 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h] |
9_2_04787E41 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h] |
9_2_04787E41 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h] |
9_2_04787E41 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h] |
9_2_04787E41 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h] |
9_2_04787E41 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0482FEC0 mov eax, dword ptr fs:[00000030h] |
9_2_0482FEC0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04848ED6 mov eax, dword ptr fs:[00000030h] |
9_2_04848ED6 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0477E620 mov eax, dword ptr fs:[00000030h] |
9_2_0477E620 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04793A1C mov eax, dword ptr fs:[00000030h] |
9_2_04793A1C |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0477C600 mov eax, dword ptr fs:[00000030h] |
9_2_0477C600 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0477C600 mov eax, dword ptr fs:[00000030h] |
9_2_0477C600 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0477C600 mov eax, dword ptr fs:[00000030h] |
9_2_0477C600 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047A16E0 mov ecx, dword ptr fs:[00000030h] |
9_2_047A16E0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047876E2 mov eax, dword ptr fs:[00000030h] |
9_2_047876E2 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047A36CC mov eax, dword ptr fs:[00000030h] |
9_2_047A36CC |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B8EC7 mov eax, dword ptr fs:[00000030h] |
9_2_047B8EC7 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0482FE3F mov eax, dword ptr fs:[00000030h] |
9_2_0482FE3F |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0478AAB0 mov eax, dword ptr fs:[00000030h] |
9_2_0478AAB0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0478AAB0 mov eax, dword ptr fs:[00000030h] |
9_2_0478AAB0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047AFAB0 mov eax, dword ptr fs:[00000030h] |
9_2_047AFAB0 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h] |
9_2_047752A5 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h] |
9_2_047752A5 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h] |
9_2_047752A5 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h] |
9_2_047752A5 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h] |
9_2_047752A5 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04804257 mov eax, dword ptr fs:[00000030h] |
9_2_04804257 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F46A7 mov eax, dword ptr fs:[00000030h] |
9_2_047F46A7 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0482B260 mov eax, dword ptr fs:[00000030h] |
9_2_0482B260 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0482B260 mov eax, dword ptr fs:[00000030h] |
9_2_0482B260 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04848A62 mov eax, dword ptr fs:[00000030h] |
9_2_04848A62 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047AD294 mov eax, dword ptr fs:[00000030h] |
9_2_047AD294 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047AD294 mov eax, dword ptr fs:[00000030h] |
9_2_047AD294 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047A3B7A mov eax, dword ptr fs:[00000030h] |
9_2_047A3B7A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047A3B7A mov eax, dword ptr fs:[00000030h] |
9_2_047A3B7A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0482D380 mov ecx, dword ptr fs:[00000030h] |
9_2_0482D380 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0483138A mov eax, dword ptr fs:[00000030h] |
9_2_0483138A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0477DB60 mov ecx, dword ptr fs:[00000030h] |
9_2_0477DB60 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0478FF60 mov eax, dword ptr fs:[00000030h] |
9_2_0478FF60 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04845BA5 mov eax, dword ptr fs:[00000030h] |
9_2_04845BA5 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0477F358 mov eax, dword ptr fs:[00000030h] |
9_2_0477F358 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0477DB40 mov eax, dword ptr fs:[00000030h] |
9_2_0477DB40 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0478EF40 mov eax, dword ptr fs:[00000030h] |
9_2_0478EF40 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047AE730 mov eax, dword ptr fs:[00000030h] |
9_2_047AE730 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04774F2E mov eax, dword ptr fs:[00000030h] |
9_2_04774F2E |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04774F2E mov eax, dword ptr fs:[00000030h] |
9_2_04774F2E |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0484070D mov eax, dword ptr fs:[00000030h] |
9_2_0484070D |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0484070D mov eax, dword ptr fs:[00000030h] |
9_2_0484070D |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047B37F5 mov eax, dword ptr fs:[00000030h] |
9_2_047B37F5 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0480FF10 mov eax, dword ptr fs:[00000030h] |
9_2_0480FF10 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0480FF10 mov eax, dword ptr fs:[00000030h] |
9_2_0480FF10 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_0483131B mov eax, dword ptr fs:[00000030h] |
9_2_0483131B |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04848B58 mov eax, dword ptr fs:[00000030h] |
9_2_04848B58 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047AB390 mov eax, dword ptr fs:[00000030h] |
9_2_047AB390 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F7794 mov eax, dword ptr fs:[00000030h] |
9_2_047F7794 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F7794 mov eax, dword ptr fs:[00000030h] |
9_2_047F7794 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_047F7794 mov eax, dword ptr fs:[00000030h] |
9_2_047F7794 |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04848F6A mov eax, dword ptr fs:[00000030h] |
9_2_04848F6A |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04781B8F mov eax, dword ptr fs:[00000030h] |
9_2_04781B8F |
Source: C:\Windows\SysWOW64\cscript.exe |
Code function: 9_2_04781B8F mov eax, dword ptr fs:[00000030h] |
9_2_04781B8F |