Loading ...

Play interactive tourEdit tour

Analysis Report C0PIA11.exe

Overview

General Information

Sample Name:C0PIA11.exe
MD5:d0f4fb94e554b4b7f8488232f4e6f8d1
SHA1:84be68551db699af3a1399c91b60d63f0aa337d9
SHA256:39eaf7743a0f3d78cd251ea334adc6968047e4aaf8fcf235287480beb7fc13f7

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: Capture Wi-Fi password
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • C0PIA11.exe (PID: 2436 cmdline: 'C:\Users\user\Desktop\C0PIA11.exe' MD5: D0F4FB94E554B4B7F8488232F4E6F8D1)
    • RegAsm.exe (PID: 3852 cmdline: 'C:\Users\user\Desktop\C0PIA11.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 3940 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 3360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "HESlmSG5HK2n6", "URL: ": "https://ueeGnvPdI4IpYJ3LTqfA.com", "To: ": "markdover52@yandex.ru", "ByHost: ": "smtp.yandex.ru:587", "Password: ": "dCrCCq0", "From: ": "markdover52@yandex.ru"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1198395453.0000000000E00000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000003.00000002.1201572584.000000001FBE0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.1201572584.000000001FBE0000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 3852JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 3852JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
            Click to see the 1 entries

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: Capture Wi-Fi passwordShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\Desktop\C0PIA11.exe' , ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 3852, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 3940
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 3852, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49749

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: C0PIA11.exeAvira: detected
            Found malware configurationShow sources
            Source: RegAsm.exe.3852.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "HESlmSG5HK2n6", "URL: ": "https://ueeGnvPdI4IpYJ3LTqfA.com", "To: ": "markdover52@yandex.ru", "ByHost: ": "smtp.yandex.ru:587", "Password: ": "dCrCCq0", "From: ": "markdover52@yandex.ru"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: C0PIA11.exeVirustotal: Detection: 71%Perma Link
            Source: C0PIA11.exeReversingLabs: Detection: 74%

            Source: global trafficTCP traffic: 192.168.2.5:49749 -> 77.88.21.158:587
            Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
            Source: global trafficTCP traffic: 192.168.2.5:49749 -> 77.88.21.158:587
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_1FA0A09A recv,3_2_1FA0A09A
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: RegAsm.exe, 00000003.00000002.1202209320.000000001FDAE000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
            Source: RegAsm.exe, 00000003.00000002.1202209320.000000001FDAE000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
            Source: RegAsm.exe, 00000003.00000002.1198577895.0000000000FBB000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: RegAsm.exe, 00000003.00000002.1202209320.000000001FDAE000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
            Source: RegAsm.exe, 00000003.00000002.1198577895.0000000000FBB000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: RegAsm.exe, 00000003.00000002.1198577895.0000000000FBB000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: RegAsm.exe, 00000003.00000002.1202209320.000000001FDAE000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
            Source: RegAsm.exe, 00000003.00000002.1202209320.000000001FDAE000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
            Source: RegAsm.exe, 00000003.00000002.1202209320.000000001FDAE000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
            Source: RegAsm.exe, 00000003.00000002.1202209320.000000001FDAE000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
            Source: RegAsm.exe, 00000003.00000002.1202209320.000000001FDAE000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
            Source: RegAsm.exe, 00000003.00000002.1202209320.000000001FDAE000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
            Source: RegAsm.exe, 00000003.00000002.1202209320.000000001FDAE000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
            Source: RegAsm.exe, 00000003.00000002.1202209320.000000001FDAE000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
            Source: RegAsm.exe, 00000003.00000002.1198395453.0000000000E00000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=CA308E3D3912D9E7&resid=CA308E3D3912D9E7%21546&authkey=AA6q-ry
            Source: RegAsm.exe, 00000003.00000002.1198577895.0000000000FBB000.00000004.00000020.sdmpString found in binary or memory: https://pcltrg.db.files.1drv.com/y4mqzTZtD0n67itu6UulDwPPvlqsEZWIldHcitmloOoGIn3e0gE6XIy7aWLW3hflEQ3
            Source: RegAsm.exe, 00000003.00000002.1202209320.000000001FDAE000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1202338217.000000001FE1A000.00000004.00000001.sdmpString found in binary or memory: https://ueeGnvPdI4IpYJ3LTqfA.com
            Source: RegAsm.exe, 00000003.00000002.1202209320.000000001FDAE000.00000004.00000001.sdmpString found in binary or memory: https://ueeGnvPdI4IpYJ3LTqfA.comxWk
            Source: RegAsm.exe, 00000003.00000002.1202209320.000000001FDAE000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
            Source: RegAsm.exe, 00000003.00000002.1198577895.0000000000FBB000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0

            Source: C0PIA11.exe, 00000000.00000002.933059313.000000000069A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7BE2 NtResumeThread,0_2_021B7BE2
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7E48 NtResumeThread,0_2_021B7E48
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7C9E NtResumeThread,0_2_021B7C9E
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7EB0 NtResumeThread,0_2_021B7EB0
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7CD9 NtResumeThread,0_2_021B7CD9
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7EEB NtResumeThread,0_2_021B7EEB
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7F30 NtResumeThread,0_2_021B7F30
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7D20 NtResumeThread,0_2_021B7D20
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7D47 NtResumeThread,0_2_021B7D47
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7F9A NtResumeThread,0_2_021B7F9A
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7D8B NtResumeThread,0_2_021B7D8B
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7DB9 NtResumeThread,0_2_021B7DB9
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7FCF NtResumeThread,0_2_021B7FCF
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7DFC NtResumeThread,0_2_021B7DFC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E07C83 NtSetInformationThread,3_2_00E07C83
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E0780D NtProtectVirtualMemory,3_2_00E0780D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E00701 EnumWindows,NtSetInformationThread,LdrInitializeThunk,3_2_00E00701
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E07CD9 NtSetInformationThread,3_2_00E07CD9
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E00899 NtSetInformationThread,3_2_00E00899
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E07C9E NtSetInformationThread,3_2_00E07C9E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E0083D NtSetInformationThread,3_2_00E0083D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E00809 NtSetInformationThread,3_2_00E00809
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E07DFC NtSetInformationThread,3_2_00E07DFC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E07DB9 NtSetInformationThread,3_2_00E07DB9
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E07D8B NtSetInformationThread,3_2_00E07D8B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E07D47 NtSetInformationThread,3_2_00E07D47
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E07D20 NtSetInformationThread,3_2_00E07D20
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E07EEB NtSetInformationThread,3_2_00E07EEB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E07EB0 NtSetInformationThread,3_2_00E07EB0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E07E48 NtSetInformationThread,3_2_00E07E48
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E07FCF NtSetInformationThread,3_2_00E07FCF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E007B7 NtSetInformationThread,3_2_00E007B7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E07F9A NtSetInformationThread,3_2_00E07F9A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E07F30 NtSetInformationThread,3_2_00E07F30
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_1FA0B362 NtQuerySystemInformation,3_2_1FA0B362
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_1FA0B331 NtQuerySystemInformation,3_2_1FA0B331
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_004014500_2_00401450
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_004036550_2_00403655
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_004036A40_2_004036A4
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_004037910_2_00403791
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7BE20_2_021B7BE2
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B501C0_2_021B501C
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B5A0C0_2_021B5A0C
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B66000_2_021B6600
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B42070_2_021B4207
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B24380_2_021B2438
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B422A0_2_021B422A
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B282E0_2_021B282E
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B30200_2_021B3020
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B12260_2_021B1226
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B5C5A0_2_021B5C5A
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B505F0_2_021B505F
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B5A530_2_021B5A53
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B164A0_2_021B164A
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B704A0_2_021B704A
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B564E0_2_021B564E
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B40460_2_021B4046
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B14440_2_021B1444
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B0A7A0_2_021B0A7A
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B3A710_2_021B3A71
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B6A710_2_021B6A71
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B1E6F0_2_021B1E6F
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B286F0_2_021B286F
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B586C0_2_021B586C
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B228A0_2_021B228A
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B1E800_2_021B1E80
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B70A20_2_021B70A2
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B3ED80_2_021B3ED8
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B26D30_2_021B26D3
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B5CD40_2_021B5CD4
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B46CE0_2_021B46CE
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B0AC30_2_021B0AC3
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B3CC60_2_021B3CC6
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B74F60_2_021B74F6
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B62EF0_2_021B62EF
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B08E30_2_021B08E3
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B10E10_2_021B10E1
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B18E10_2_021B18E1
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B151A0_2_021B151A
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B271A0_2_021B271A
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B3F1A0_2_021B3F1A
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B3B0B0_2_021B3B0B
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B070A0_2_021B070A
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B430A0_2_021B430A
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B2D0E0_2_021B2D0E
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B710C0_2_021B710C
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B392C0_2_021B392C
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B41220_2_021B4122
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B6D200_2_021B6D20
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B23260_2_021B2326
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B11580_2_021B1158
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B3B5E0_2_021B3B5E
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B4B5E0_2_021B4B5E
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B43540_2_021B4354
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B63480_2_021B6348
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B05420_2_021B0542
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B51700_2_021B5170
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B07600_2_021B0760
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B39670_2_021B3967
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B6F670_2_021B6F67
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B6B980_2_021B6B98
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B579E0_2_021B579E
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B61900_2_021B6190
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B1D800_2_021B1D80
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B65BD0_2_021B65BD
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B07B60_2_021B07B6
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B2BAB0_2_021B2BAB
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B13A80_2_021B13A8
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B4BCB0_2_021B4BCB
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B09CF0_2_021B09CF
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B59C60_2_021B59C6
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B07FB0_2_021B07FB
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B6BFB0_2_021B6BFB
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B15F30_2_021B15F3
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B45E20_2_021B45E2
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B57E40_2_021B57E4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E007013_2_00E00701
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E00C563_2_00E00C56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E00C1D3_2_00E00C1D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E00AD73_2_00E00AD7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E00A803_2_00E00A80
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E00A7E3_2_00E00A7E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E00BC83_2_00E00BC8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E00B703_2_00E00B70
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E00B1D3_2_00E00B1D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F15BB83_2_21F15BB8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F1A1703_2_21F1A170
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F10F683_2_21F10F68
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F191283_2_21F19128
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F170F03_2_21F170F0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F156A83_2_21F156A8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F1B4683_2_21F1B468
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F126513_2_21F12651
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F104503_2_21F10450
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F186503_2_21F18650
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F18C4E3_2_21F18C4E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F180283_2_21F18028
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F161F63_2_21F161F6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F15BA83_2_21F15BA8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F127553_2_21F12755
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F143423_2_21F14342
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F137353_2_21F13735
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F181383_2_21F18138
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F191203_2_21F19120
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F161223_2_21F16122
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F186D43_2_21F186D4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F126513_2_21F12651
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F1A2953_2_21F1A295
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F13A893_2_21F13A89
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F1A26B3_2_21F1A26B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F1B4583_2_21F1B458
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F104403_2_21F10440
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F186403_2_21F18640
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F1A2223_2_21F1A222
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21FEF0283_2_21FEF028
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21FE00493_2_21FE0049
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21FEFB453_2_21FEFB45
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21FEF4233_2_21FEF423
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21FEF0183_2_21FEF018
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21FEF4903_2_21FEF490
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21FEF74D3_2_21FEF74D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_22819B003_2_22819B00
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_2281CF283_2_2281CF28
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_2281E0D83_2_2281E0D8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_2281ECD83_2_2281ECD8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_228198003_2_22819800
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_228191B83_2_228191B8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_228155B83_2_228155B8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_2281DD383_2_2281DD38
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_2281C9703_2_2281C970
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_22815EE03_2_22815EE0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_2281D7683_2_2281D768
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_228A28A03_2_228A28A0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_228A24383_2_228A2438
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_228A3C683_2_228A3C68
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_228A1D983_2_228A1D98
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_228A49E03_2_228A49E0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_228A21773_2_228A2177
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_228A28903_2_228A2890
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_228A2EFF3_2_228A2EFF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_228A242B3_2_228A242B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_228A00703_2_228A0070
            Source: C0PIA11.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C0PIA11.exe, 00000000.00000000.773214276.000000000041B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUndiminishab.exe vs C0PIA11.exe
            Source: C0PIA11.exe, 00000000.00000002.933382606.00000000021A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs C0PIA11.exe
            Source: C0PIA11.exeBinary or memory string: OriginalFilenameUndiminishab.exe vs C0PIA11.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: security.dllJump to behavior
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@7/0@3/1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_1FA0B1E6 AdjustTokenPrivileges,3_2_1FA0B1E6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_1FA0B1AF AdjustTokenPrivileges,3_2_1FA0B1AF
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3360:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C0PIA11.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\C0PIA11.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\C0PIA11.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C0PIA11.exeVirustotal: Detection: 71%
            Source: C0PIA11.exeReversingLabs: Detection: 74%
            Source: unknownProcess created: C:\Users\user\Desktop\C0PIA11.exe 'C:\Users\user\Desktop\C0PIA11.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\C0PIA11.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\C0PIA11.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\C0PIA11.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000003.00000002.1204107260.0000000022820000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000003.00000002.1198395453.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3852, type: MEMORY
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_00401450 push es; retf 1103h0_2_004026CF
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_00409218 push edx; ret 0_2_00409219
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_00407230 push esi; retf 0_2_00407231
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_00404B78 push ss; ret 0_2_00404B90
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_00405D30 push edi; ret 0_2_00405D38
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_0040BDC0 push edi; ret 0_2_0040BF28
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_004069C9 push FFFFFF9Fh; ret 0_2_00406BE4
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_004075DC push 0000003Dh; ret 0_2_004075F0
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_00405B83 pushad ; ret 0_2_00405B84
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_004069A6 push FFFFFF9Fh; ret 0_2_00406BE4
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B7A3C push ss; iretd 0_2_021B7ADD
            Source: C:\Users\user\Desktop\C0PIA11.exeCode function: 0_2_021B33D3 pushfd ; rep ret 0_2_021B33D6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F11EC8 push edx; retf 000Dh3_2_21F11ECB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_21F17CB9 pushad ; retf 3_2_21F17CBA
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_2281589B push edi; retf 3_2_2281589E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_228A0A5C push ss; iretd 3_2_228A0A6A

            Source: C:\Users\user\Desktop\C0PIA11.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\C0PIA11.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\C0PIA11.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\C0PIA11.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\C0PIA11.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\C0PIA11.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\C0PIA11.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\C0PIA11.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\C0PIA11.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E033CF 3_2_00E033CF
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\C0PIA11.exeRDTSC instruction interceptor: First address: 00000000021B33D2 second address: 00000000021B344B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 jmp 00007F8D48DA8022h 0x00000016 clc 0x00000017 bt ecx, 1Fh 0x0000001b jmp 00007F8D48DA8016h 0x0000001d fnop 0x0000001f jc 00007F8D48DA7FF2h 0x00000021 popad 0x00000022 lfence 0x00000025 rdtsc
            Source: C:\Users\user\Desktop\C0PIA11.exeRDTSC instruction interceptor: First address: 00000000021B344B second address: 00000000021B33D2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jng 00007F8D48DA7A85h 0x00000015 ret 0x00000016 add edi, edx 0x00000018 pop ecx 0x00000019 dec ecx 0x0000001a cmp ecx, 00000000h 0x0000001d jne 00007F8D48DA7B03h 0x0000001f push ecx 0x00000020 call 00007F8D48DA7B2Eh 0x00000025 lfence 0x00000028 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000E033D2 second address: 0000000000E0344B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 jmp 00007F8D48DA8022h 0x00000016 clc 0x00000017 bt ecx, 1Fh 0x0000001b jmp 00007F8D48DA8016h 0x0000001d fnop 0x0000001f jc 00007F8D48DA7FF2h 0x00000021 popad 0x00000022 lfence 0x00000025 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000E0344B second address: 0000000000E033D2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jng 00007F8D48DA7A85h 0x00000015 lfence 0x00000018 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00E0341F rdtsc 3_2_00E0341F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -59812s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -58906s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -57812s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -56718s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -56500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -55812s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -54218s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -53312s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -52624s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -52406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -51718s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -51500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -51000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -50812s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -49406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -49218s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -48500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -47406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -46718s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -45594s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -45312s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4468Thread sleep time: -44406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: RegAsm.exe, 00000003.00000002.1203326836.00000000221F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: C0PIA11.exe, 00000000.00000002.933059313.000000000069A000.00000004.00000020.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeht
            Source: RegAsm.exe, 00000003.00000002.1203326836.00000000221F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: RegAsm.exe, 00000003.00000002.1203326836.00000000221F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: RegAsm.exe, 00000003.00000002.1198395453.0000000000E00000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: RegAsm.exe, 00000003.00000002.1203326836.00000000221F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging:

            bar