Loading ...

Play interactive tourEdit tour

Analysis Report https://www.mediafire.com/file/6urm5ylq31a3s24/Odeme_makbuzu.7z/file

Overview

General Information

Sample URL:https://www.mediafire.com/file/6urm5ylq31a3s24/Odeme_makbuzu.7z/file

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Capture Wi-Fi password
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 5700 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.mediafire.com/file/6urm5ylq31a3s24/Odeme_makbuzu.7z/file' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 3812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 4856 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.mediafire.com/file/6urm5ylq31a3s24/Odeme_makbuzu.7z/file' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • unarchiver.exe (PID: 5376 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\download\Odeme makbuzu.7z' MD5: 8B435F8731563566F3F49203BA277865)
    • 7za.exe (PID: 2068 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i' 'C:\Users\user\Desktop\download\Odeme makbuzu.7z' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
      • conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4032 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Odeme makbuzu.exe (PID: 5796 cmdline: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exe MD5: 683107D3D202A1B675CFC3EDE8144D3E)
        • RegAsm.exe (PID: 3672 cmdline: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)
          • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • netsh.exe (PID: 4360 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • conhost.exe (PID: 3640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "DRjoD0j7", "URL: ": "http://PXKgmspk46.com", "To: ": "david01smith@yandex.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "ICcd20", "From: ": "david01smith@yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.1124246950.0000000001380000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x5f58:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000A.00000002.1540862429.00000000202CD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000002.1540359340.0000000020150000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000A.00000002.1540359340.0000000020150000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 3672JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 1 entries

          Sigma Overview


          System Summary:

          barindex
          Sigma detected: Capture Wi-Fi passwordShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 3672, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 4360
          Sigma detected: RegAsm connects to smtp portShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 3672, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49948

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: RegAsm.exe.3672.10.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "DRjoD0j7", "URL: ": "http://PXKgmspk46.com", "To: ": "david01smith@yandex.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "ICcd20", "From: ": "david01smith@yandex.com"}
          Source: 5.3.7za.exe.fd0000.0.unpackAvira: Label: TR/Dropper.Gen

          Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 0142097Fh4_2_014202A8
          Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 0142097Eh4_2_014202A8

          Source: global trafficTCP traffic: 192.168.2.6:49948 -> 77.88.21.158:587
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1FF3A09A recv,10_2_1FF3A09A
          Source: unknownDNS traffic detected: queries for: www.mediafire.com
          Source: RegAsm.exe, 0000000A.00000002.1540862429.00000000202CD000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.1541038709.000000002034C000.00000004.00000001.sdmpString found in binary or memory: http://PXKgmspk46.com
          Source: RegAsm.exe, 0000000A.00000002.1540359340.0000000020150000.00000004.00000001.sdmpString found in binary or memory: http://PXKgmspk46.comX)
          Source: RegAsm.exe, 0000000A.00000002.1540862429.00000000202CD000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
          Source: RegAsm.exe, 0000000A.00000002.1540862429.00000000202CD000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
          Source: wget.exe, 00000002.00000003.1113302994.0000000002C13000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
          Source: wget.exe, 00000002.00000002.1116037057.0000000002C0B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
          Source: wget.exe, 00000002.00000003.1113302994.0000000002C13000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crlLp
          Source: wget.exeString found in binary or memory: http://crl.globalsign.net/root-r2.crl
          Source: wget.exe, 00000002.00000002.1115970279.0000000002BDC000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: RegAsm.exe, 0000000A.00000002.1540862429.00000000202CD000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
          Source: wget.exe, 00000002.00000002.1116098339.0000000002C2C000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
          Source: wget.exeString found in binary or memory: http://ocsp.comodoca.com
          Source: wget.exe, 00000002.00000002.1116037057.0000000002C0B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: wget.exe, 00000002.00000003.1113302994.0000000002C13000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.comDr
          Source: wget.exe, 00000002.00000002.1115970279.0000000002BDC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.comer
          Source: wget.exe, 00000002.00000003.1113302994.0000000002C13000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com
          Source: wget.exe, 00000002.00000002.1116098339.0000000002C2C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0)
          Source: wget.exe, 00000002.00000003.1113302994.0000000002C13000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.comj0
          Source: wget.exe, 00000002.00000003.1113302994.0000000002C13000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.comt1
          Source: RegAsm.exe, 0000000A.00000002.1540862429.00000000202CD000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
          Source: RegAsm.exe, 0000000A.00000002.1540862429.00000000202CD000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
          Source: RegAsm.exe, 0000000A.00000002.1540862429.00000000202CD000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
          Source: RegAsm.exe, 0000000A.00000002.1540862429.00000000202CD000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
          Source: RegAsm.exe, 0000000A.00000002.1540862429.00000000202CD000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
          Source: RegAsm.exe, 0000000A.00000002.1540862429.00000000202CD000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
          Source: RegAsm.exe, 0000000A.00000002.1542555777.0000000022AE0000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.
          Source: RegAsm.exe, 0000000A.00000002.1540862429.00000000202CD000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
          Source: RegAsm.exe, 0000000A.00000002.1540862429.00000000202CD000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
          Source: cmdline.out.2.drString found in binary or memory: https://download668.mediafire.com/p59u6u7bvveg/6urm5ylq31a3s24/Odeme
          Source: wget.exe, 00000002.00000002.1116037057.0000000002C0B000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
          Source: wget.exe, 00000002.00000002.1116098339.0000000002C2C000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
          Source: RegAsm.exe, 0000000A.00000002.1540359340.0000000020150000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
          Source: RegAsm.exe, 0000000A.00000002.1540359340.0000000020150000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
          Source: RegAsm.exe, 0000000A.00000002.1540862429.00000000202CD000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
          Source: wget.exe, 00000002.00000002.1116037057.0000000002C0B000.00000004.00000001.sdmpString found in binary or memory: https://www.mediafire.com
          Source: wget.exe, 00000002.00000002.1113780257.0000000000140000.00000004.00000020.sdmp, cmdline.out.2.drString found in binary or memory: https://www.mediafire.com/file/6urm5ylq31a3s24/Odeme_makbuzu.7z/file
          Source: wget.exe, 00000002.00000002.1114399568.00000000010E0000.00000004.00000040.sdmpString found in binary or memory: https://www.mediafire.com/file/6urm5ylq31a3s24/Odeme_makbuzu.7z/fileIr
          Source: wget.exe, 00000002.00000002.1114399568.00000000010E0000.00000004.00000040.sdmpString found in binary or memory: https://www.mediafire.com/file/6urm5ylq31a3s24/Odeme_makbuzu.7z/fileOr
          Source: RegAsm.exe, 0000000A.00000002.1537388336.0000000001300000.00000040.00000001.sdmpString found in binary or memory: https://www.mediafire.com/file/y5pwzn9cfp14skc/origin_KpByGzql114.bin/file
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49940
          Source: unknownNetwork traffic detected: HTTP traffic on port 49940 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000003.1124246950.0000000001380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeCode function: 9_2_02122C31 NtResumeThread,9_2_02122C31
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeCode function: 9_2_02122D48 NtResumeThread,9_2_02122D48
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01302D30 NtSetInformationThread,10_2_01302D30
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01302997 NtProtectVirtualMemory,10_2_01302997
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0130017C NtSetInformationThread,10_2_0130017C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0130017E NtSetInformationThread,10_2_0130017E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01302D48 NtSetInformationThread,10_2_01302D48
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1FF3B362 NtQuerySystemInformation,10_2_1FF3B362
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1FF3B331 NtQuerySystemInformation,10_2_1FF3B331
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BD98A32_3_02BD98A3
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BD98A32_3_02BD98A3
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BD77512_3_02BD7751
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BD98A32_3_02BD98A3
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BD98A32_3_02BD98A3
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BD77512_3_02BD7751
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_02BDE06D2_2_02BDE06D
          Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4_2_014202A84_2_014202A8
          Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4_2_014202994_2_01420299
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeCode function: 9_2_004015EC9_2_004015EC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1FF3247D10_2_1FF3247D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2238A65B10_2_2238A65B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2238B29010_2_2238B290
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2238AB1810_2_2238AB18
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22380F0810_2_22380F08
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2238536010_2_22385360
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22387F8810_2_22387F88
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2238007010_2_22380070
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_223825F410_2_223825F4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2238423310_2_22384233
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22383A6510_2_22383A65
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_223826AC10_2_223826AC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_223826C310_2_223826C3
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22382F3A10_2_22382F3A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2238273B10_2_2238273B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22383B0110_2_22383B01
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2238337810_2_22383378
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2238C36510_2_2238C365
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2238535210_2_22385352
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2238879B10_2_2238879B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2238A7DE10_2_2238A7DE
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22382FD310_2_22382FD3
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_223883C810_2_223883C8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2238442110_2_22384421
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2238894610_2_22388946
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_223825F410_2_223825F4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2251000610_2_22510006
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2251F0A810_2_2251F0A8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2251F81110_2_2251F811
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2251F09B10_2_2251F09B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2251F58310_2_2251F583
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2251F4E110_2_2251F4E1
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_2251FC6D10_2_2251FC6D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22D300E610_2_22D300E6
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22D32E4010_2_22D32E40
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22D3327010_2_22D33270
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22D4BED810_2_22D4BED8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22D4E68810_2_22D4E688
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22D4F22810_2_22D4F228
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22D4D5E010_2_22D4D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22D4E9E810_2_22D4E9E8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22D4A59010_2_22D4A590
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22D4B95010_2_22D4B950
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22D4DC5810_2_22D4DC58
          Source: Odeme makbuzu.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: security.dllJump to behavior
          Source: 00000005.00000003.1124246950.0000000001380000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: classification engineClassification label: mal100.troj.spyw.evad.win@19/5@5/5
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1FF3B1E6 AdjustTokenPrivileges,10_2_1FF3B1E6
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1FF3B1AF AdjustTokenPrivileges,10_2_1FF3B1AF
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1444:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3812:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3640:120:WilError_01
          Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\ghla5sa3.krdJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: wget.exeString found in binary or memory: rl.usertrust.com/AddTrustExternalCARoot.crl
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.mediafire.com/file/6urm5ylq31a3s24/Odeme_makbuzu.7z/file' > cmdline.out 2>&1
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.mediafire.com/file/6urm5ylq31a3s24/Odeme_makbuzu.7z/file'
          Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\download\Odeme makbuzu.7z'
          Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i' 'C:\Users\user\Desktop\download\Odeme makbuzu.7z'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exe C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exe
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exe
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.mediafire.com/file/6urm5ylq31a3s24/Odeme_makbuzu.7z/file' Jump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i' 'C:\Users\user\Desktop\download\Odeme makbuzu.7z'Jump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exe C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: Binary string: mscorrc.pdb source: RegAsm.exe, 0000000A.00000002.1542873987.0000000022D50000.00000002.00000001.sdmp

          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BDA3F0 push B8010EB2h; ret 2_3_02BDA3F5
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BDA3F0 push B8010EB2h; ret 2_3_02BDA3F5
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BDCFE7 pushad ; retn 0078h2_3_02BDD045
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BDCFE7 pushad ; retn 0078h2_3_02BDD045
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BDD071 pushad ; retn 0078h2_3_02BDD075
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BDD071 pushad ; retn 0078h2_3_02BDD075
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BDA3F0 push B8010EB2h; ret 2_3_02BDA3F5
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BDA3F0 push B8010EB2h; ret 2_3_02BDA3F5
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BDCFE7 pushad ; retn 0078h2_3_02BDD045
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BDCFE7 pushad ; retn 0078h2_3_02BDD045
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BDD071 pushad ; retn 0078h2_3_02BDD075
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_3_02BDD071 pushad ; retn 0078h2_3_02BDD075
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_02BDD9A9 pushad ; ret 2_2_02BDD9B5
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_02BDCFE7 pushad ; retn 0078h2_2_02BDD045
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_02BDCF71 pushfd ; retn 0000h2_2_02BDCFE3
          Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_02BDD071 pushad ; retn 0078h2_2_02BDD075
          Source: C:\Windows\SysWOW64\7za.exeCode function: 5_2_02F28763 push ds; ret 5_2_02F28782
          Source: C:\Windows\SysWOW64\7za.exeCode function: 5_2_02F2B563 push E0725569h; retf 5_2_02F2B875
          Source: C:\Windows\SysWOW64\7za.exeCode function: 5_2_02F2D366 pushad ; retf 5_2_02F2D425
          Source: C:\Windows\SysWOW64\7za.exeCode function: 5_2_02F2D1D0 push eax; retf 5_2_02F2D1E5
          Source: C:\Windows\SysWOW64\7za.exeCode function: 5_2_02F2DDD9 push 00000015h; iretd 5_2_02F2DE2A
          Source: C:\Windows\SysWOW64\7za.exeCode function: 5_2_02F282B5 push ds; retn 004Eh5_2_02F282B2
          Source: C:\Windows\SysWOW64\7za.exeCode function: 5_2_02F2C4BB push ss; iretd 5_2_02F2C50A
          Source: C:\Windows\SysWOW64\7za.exeCode function: 5_2_02F28723 push ds; retf 5_2_02F28742
          Source: C:\Windows\SysWOW64\7za.exeCode function: 5_2_02F28293 push ds; retn 004Eh5_2_02F282B2
          Source: C:\Windows\SysWOW64\7za.exeCode function: 5_2_02F28B00 push ds; retn 0054h5_2_02F28C54
          Source: C:\Windows\SysWOW64\7za.exeCode function: 5_2_02F2810E push ds; retf 004Eh5_2_02F28272
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeCode function: 9_2_00404692 push ss; iretd 9_2_0040472E
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeCode function: 9_2_004050A3 push es; retf 9_2_004050A4
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeCode function: 9_2_00404964 push edx; iretd 9_2_00404965
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeCode function: 9_2_00404710 push ss; iretd 9_2_0040472E

          Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeJump to dropped file

          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0130134E 10_2_0130134E
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeRDTSC instruction interceptor: First address: 0000000002121352 second address: 0000000002121372 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 nop 0x00000006 shl edx, 20h 0x00000009 or edx, eax 0x0000000b mov esi, edx 0x0000000d clc 0x0000000e pushad 0x0000000f mov eax, 00000001h 0x00000014 cpuid 0x00000016 bt ecx, 1Fh 0x0000001a jc 00007F2E8075BB62h 0x0000001c popad 0x0000001d lfence 0x00000020 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\abjfzdtz.g1i\Odeme makbuzu.exeRDTSC instruction interceptor: First address: 0000000002121372 second address: 0000000002121352 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F2E807AA8ADh 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F2E807AA8D3h 0x0000001b push ecx 0x0000001c call 00007F2E807AA92Eh 0x00000021 cld 0x00000022 lfence 0x00000025 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001301352 second address: 0000000001301372 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 nop 0x00000006 shl edx, 20h 0x00000009 or edx, eax 0x0000000b mov esi, edx 0x0000000d clc 0x0000000e pushad 0x0000000f mov eax, 00000001h 0x00000014 cpuid 0x00000016 bt ecx, 1Fh 0x0000001a jc 00007F2E8075BB62h 0x0000001c popad 0x0000001d lfence 0x00000020 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001301372 second address: 0000000001301352 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F2E807AA8ADh 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F2E807AA8D3h 0x0000001b push ecx 0x0000001c call 00007F2E807AA92Eh 0x00000021 cld 0x00000022 lfence 0x00000025 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0130134E rdtsc 10_2_0130134E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exe TID: 820Thread sleep count: 229 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exe TID: 820Thread sleep time: -114500s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -90000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -89673s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -89391s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -59062s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -58874s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -58688s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -58188s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -58000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -57782s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -57282s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -84891s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -56374s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -56188s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -55688s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -55500s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -54782s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -81891s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -54406s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -53874s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -53688s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -53468s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -53000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -52782s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -52094s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -51406s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -50968s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -75423s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -49594s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -48468s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -46874s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -46000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -45782s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -45594s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -44874s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -44188s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -43782s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -43282s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -42594s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -42374s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -41874s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -41688s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -41282s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -40782s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -39874s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -39188s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4792Thread sleep time: -37156s >=