Analysis Report oqTdpbN5rF.exe

Overview

General Information

Sample Name:	oqTdpbN5rF.exe
Analysis ID:	321100
MD5:	429bba6dbe159c300679509be3085665
SHA1:	f79f58bc3142b59d0d8669595a01770bdf5486ff
SHA256:	04274b027d3bd09ec0d7b58ff5af64aa06e626668995cb5ef6d7fad939bc6c33
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Uses netstat to query active network connections and open ports

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: oqTdpbN5rF.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: oqTdpbN5rF.exe	Virustotal: Detection: 36%			Perma Link
Source: oqTdpbN5rF.exe	ReversingLabs: Detection: 33%

Yara detected FormBook

Source: Yara match	File source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: oqTdpbN5rF.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F31DC FindFirstFileW,FindNextFileW,FindClose,	15_2_011F31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	15_2_011D85EA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	15_2_011E245C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	15_2_011DB89C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	15_2_011E68BA

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then pop esi	2_2_00417295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then pop esi	2_2_004172A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then pop esi	9_2_00417295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then pop esi	9_2_004172A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop esi	13_2_03017295
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop esi	13_2_030172A5

Networking:

Uses netstat to query active network connections and open ports

Source: unknown

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=nwMujlop9k/e7RKxDV6F2DOpfZu+NAvKA+XHz2bBew91D/bKU35KPyupQFDW23mxRXA2 HTTP/1.1Host: www.bikininbodymommy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=F7U1ZxCjw0QXGNF8VmzdEObB3hNcDi5za+FuEorWYUt6zFjVN/aD/y1X6yN+u1VrnSag HTTP/1.1Host: www.buyiprod.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 81.17.18.197 81.17.18.197

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View	ASN Name: PLI-ASCH PLI-ASCH

Source: global traffic	HTTP traffic detected: GET /kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=nwMujlop9k/e7RKxDV6F2DOpfZu+NAvKA+XHz2bBew91D/bKU35KPyupQFDW23mxRXA2 HTTP/1.1Host: www.bikininbodymommy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=F7U1ZxCjw0QXGNF8VmzdEObB3hNcDi5za+FuEorWYUt6zFjVN/aD/y1X6yN+u1VrnSag HTTP/1.1Host: www.buyiprod.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.bikininbodymommy.com

Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000005.00000000.684955436.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419D50 NtCreateFile,	2_2_00419D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419E00 NtReadFile,	2_2_00419E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419E80 NtClose,	2_2_00419E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419F30 NtAllocateVirtualMemory,	2_2_00419F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419D4B NtCreateFile,	2_2_00419D4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419DFE NtReadFile,	2_2_00419DFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419DA4 NtCreateFile,	2_2_00419DA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419E7A NtClose,	2_2_00419E7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419F2B NtAllocateVirtualMemory,	2_2_00419F2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03079A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079A20 NtResumeThread,LdrInitializeThunk,	2_2_03079A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079A50 NtCreateFile,LdrInitializeThunk,	2_2_03079A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03079910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030799A0 NtCreateSection,LdrInitializeThunk,	2_2_030799A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079840 NtDelayExecution,LdrInitializeThunk,	2_2_03079840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03079860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030798F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_030798F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079710 NtQueryInformationToken,LdrInitializeThunk,	2_2_03079710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079780 NtMapViewOfSection,LdrInitializeThunk,	2_2_03079780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030797A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_030797A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03079660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030796E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_030796E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079540 NtReadFile,LdrInitializeThunk,	2_2_03079540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030795D0 NtClose,LdrInitializeThunk,	2_2_030795D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079B00 NtSetValueKey,	2_2_03079B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0307A3B0 NtGetContextThread,	2_2_0307A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079A10 NtQuerySection,	2_2_03079A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079A80 NtOpenDirectoryObject,	2_2_03079A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079950 NtQueueApcThread,	2_2_03079950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030799D0 NtCreateProcessEx,	2_2_030799D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079820 NtEnumerateKey,	2_2_03079820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0307B040 NtSuspendThread,	2_2_0307B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030798A0 NtWriteVirtualMemory,	2_2_030798A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0307A710 NtOpenProcessToken,	2_2_0307A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079730 NtQueryVirtualMemory,	2_2_03079730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079760 NtOpenProcess,	2_2_03079760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079770 NtSetInformationFile,	2_2_03079770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0307A770 NtOpenThread,	2_2_0307A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079FE0 NtCreateMutant,	2_2_03079FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079610 NtEnumerateValueKey,	2_2_03079610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079650 NtQueryValueKey,	2_2_03079650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079670 NtQueryInformationProcess,	2_2_03079670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030796D0 NtCreateKey,	2_2_030796D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079520 NtWaitForSingleObject,	2_2_03079520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0307AD30 NtSetContextThread,	2_2_0307AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079560 NtWriteFile,	2_2_03079560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030795F0 NtQueryInformationFile,	2_2_030795F0
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_05731C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,	7_2_05731C09
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_057300AD NtOpenSection,NtMapViewOfSection,	7_2_057300AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419D50 NtCreateFile,	9_2_00419D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419E00 NtReadFile,	9_2_00419E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419E80 NtClose,	9_2_00419E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419F30 NtAllocateVirtualMemory,	9_2_00419F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419D4B NtCreateFile,	9_2_00419D4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419DFE NtReadFile,	9_2_00419DFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419DA4 NtCreateFile,	9_2_00419DA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419E7A NtClose,	9_2_00419E7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419F2B NtAllocateVirtualMemory,	9_2_00419F2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9A50 NtCreateFile,LdrInitializeThunk,	9_2_027D9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9A20 NtResumeThread,LdrInitializeThunk,	9_2_027D9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9A00 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_027D9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_027D9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9840 NtDelayExecution,LdrInitializeThunk,	9_2_027D9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D98F0 NtReadVirtualMemory,LdrInitializeThunk,	9_2_027D98F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_027D9910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D99A0 NtCreateSection,LdrInitializeThunk,	9_2_027D99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_027D9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_027D96E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9710 NtQueryInformationToken,LdrInitializeThunk,	9_2_027D9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D97A0 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_027D97A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9780 NtMapViewOfSection,LdrInitializeThunk,	9_2_027D9780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9540 NtReadFile,LdrInitializeThunk,	9_2_027D9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D95D0 NtClose,LdrInitializeThunk,	9_2_027D95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9A10 NtQuerySection,	9_2_027D9A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9A80 NtOpenDirectoryObject,	9_2_027D9A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9B00 NtSetValueKey,	9_2_027D9B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027DA3B0 NtGetContextThread,	9_2_027DA3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027DB040 NtSuspendThread,	9_2_027DB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9820 NtEnumerateKey,	9_2_027D9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D98A0 NtWriteVirtualMemory,	9_2_027D98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9950 NtQueueApcThread,	9_2_027D9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D99D0 NtCreateProcessEx,	9_2_027D99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9670 NtQueryInformationProcess,	9_2_027D9670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9650 NtQueryValueKey,	9_2_027D9650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9610 NtEnumerateValueKey,	9_2_027D9610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D96D0 NtCreateKey,	9_2_027D96D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9770 NtSetInformationFile,	9_2_027D9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027DA770 NtOpenThread,	9_2_027DA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9760 NtOpenProcess,	9_2_027D9760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9730 NtQueryVirtualMemory,	9_2_027D9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027DA710 NtOpenProcessToken,	9_2_027DA710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9FE0 NtCreateMutant,	9_2_027D9FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9560 NtWriteFile,	9_2_027D9560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027DAD30 NtSetContextThread,	9_2_027DAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9520 NtWaitForSingleObject,	9_2_027D9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D95F0 NtQueryInformationFile,	9_2_027D95F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019F30 NtAllocateVirtualMemory,	13_2_03019F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019E00 NtReadFile,	13_2_03019E00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019E80 NtClose,	13_2_03019E80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019D50 NtCreateFile,	13_2_03019D50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019F2B NtAllocateVirtualMemory,	13_2_03019F2B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019E7A NtClose,	13_2_03019E7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019D4B NtCreateFile,	13_2_03019D4B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019DA4 NtCreateFile,	13_2_03019DA4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019DFE NtReadFile,	13_2_03019DFE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	15_2_011F6D90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011FB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	15_2_011FB5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DB42E NtOpenThreadToken,NtOpenProcessToken,NtClose,	15_2_011DB42E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	15_2_011D84BE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	15_2_011D58A4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DB4C0 NtQueryInformationToken,	15_2_011DB4C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DB4F8 NtQueryInformationToken,NtQueryInformationToken,	15_2_011DB4F8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	15_2_011D83F2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F9AB4 NtSetInformationFile,	15_2_011F9AB4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_03CD9910
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9860 NtQuerySystemInformation,LdrInitializeThunk,	15_2_03CD9860
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9FE0 NtCreateMutant,LdrInitializeThunk,	15_2_03CD9FE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD96E0 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_03CD96E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CDA3B0 NtGetContextThread,	15_2_03CDA3B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9B00 NtSetValueKey,	15_2_03CD9B00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9A80 NtOpenDirectoryObject,	15_2_03CD9A80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9A50 NtCreateFile,	15_2_03CD9A50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9A00 NtProtectVirtualMemory,	15_2_03CD9A00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9A10 NtQuerySection,	15_2_03CD9A10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9A20 NtResumeThread,	15_2_03CD9A20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD99D0 NtCreateProcessEx,	15_2_03CD99D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD99A0 NtCreateSection,	15_2_03CD99A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9950 NtQueueApcThread,	15_2_03CD9950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD98F0 NtReadVirtualMemory,	15_2_03CD98F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD98A0 NtWriteVirtualMemory,	15_2_03CD98A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CDB040 NtSuspendThread,	15_2_03CDB040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9840 NtDelayExecution,	15_2_03CD9840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9820 NtEnumerateKey,	15_2_03CD9820
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9780 NtMapViewOfSection,	15_2_03CD9780
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD97A0 NtUnmapViewOfSection,	15_2_03CD97A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9760 NtOpenProcess,	15_2_03CD9760
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CDA770 NtOpenThread,	15_2_03CDA770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9770 NtSetInformationFile,	15_2_03CD9770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9710 NtQueryInformationToken,	15_2_03CD9710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CDA710 NtOpenProcessToken,	15_2_03CDA710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9730 NtQueryVirtualMemory,	15_2_03CD9730
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD96D0 NtCreateKey,	15_2_03CD96D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9650 NtQueryValueKey,	15_2_03CD9650
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9660 NtAllocateVirtualMemory,	15_2_03CD9660
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9670 NtQueryInformationProcess,	15_2_03CD9670
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9610 NtEnumerateValueKey,	15_2_03CD9610
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD95D0 NtClose,	15_2_03CD95D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD95F0 NtQueryInformationFile,	15_2_03CD95F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9540 NtReadFile,	15_2_03CD9540
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9560 NtWriteFile,	15_2_03CD9560
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9520 NtWaitForSingleObject,	15_2_03CD9520
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CDAD30 NtSetContextThread,	15_2_03CDAD30

Contains functionality to communicate with device drivers

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011E6550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,

15_2_011E6550

Contains functionality to launch a process as a different user

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011E374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,

15_2_011E374E

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041D906	2_2_0041D906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041DB32	2_2_0041DB32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041DBA5	2_2_0041DBA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041E5ED	2_2_0041E5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041DE55	2_2_0041DE55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409E2C	2_2_00409E2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409E30	2_2_00409E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041DF6E	2_2_0041DF6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041D781	2_2_0041D781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041CF93	2_2_0041CF93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03102B28	2_2_03102B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306EBB0	2_2_0306EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FDBD2	2_2_030FDBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_031022AE	2_2_031022AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303F900	2_2_0303F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03054120	2_2_03054120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1002	2_2_030F1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0310E824	2_2_0310E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304B090	2_2_0304B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030620A0	2_2_030620A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_031020A8	2_2_031020A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_031028EC	2_2_031028EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03101FF1	2_2_03101FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FD616	2_2_030FD616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03056E30	2_2_03056E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03102EF7	2_2_03102EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03102D07	2_2_03102D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03030D20	2_2_03030D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03101D55	2_2_03101D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062581	2_2_03062581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_031025DD	2_2_031025DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304D5E0	2_2_0304D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304841F	2_2_0304841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FD466	2_2_030FD466
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_009BB692	7_2_009BB692
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_009BB70D	7_2_009BB70D
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_009BAAA2	7_2_009BAAA2
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_009BB6E6	7_2_009BB6E6
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_010D04E1	7_2_010D04E1
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_010D04F0	7_2_010D04F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041D906	9_2_0041D906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041DB32	9_2_0041DB32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041DBA5	9_2_0041DBA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041E5ED	9_2_0041E5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041DE55	9_2_0041DE55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00409E2C	9_2_00409E2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00409E30	9_2_00409E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041DF6E	9_2_0041DF6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041D781	9_2_0041D781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041CF93	9_2_0041CF93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028622AE	9_2_028622AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285DBD2	9_2_0285DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02862B28	9_2_02862B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CEBB0	9_2_027CEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028620A8	9_2_028620A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028628EC	9_2_028628EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851002	9_2_02851002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C20A0	9_2_027C20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AB090	9_2_027AB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B4120	9_2_027B4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279F900	9_2_0279F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B6E30	9_2_027B6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02862EF7	9_2_02862EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285D616	9_2_0285D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02861FF1	9_2_02861FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A841F	9_2_027A841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285D466	9_2_0285D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02790D20	9_2_02790D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028625DD	9_2_028625DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02862D07	9_2_02862D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AD5E0	9_2_027AD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02861D55	9_2_02861D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C2581	9_2_027C2581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301DF6E	13_2_0301DF6E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301D781	13_2_0301D781
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301CF93	13_2_0301CF93
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03002FB0	13_2_03002FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03009E2C	13_2_03009E2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03009E30	13_2_03009E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301DE55	13_2_0301DE55
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03002D90	13_2_03002D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301E5ED	13_2_0301E5ED
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F3506	15_2_011F3506
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E6550	15_2_011E6550
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E1969	15_2_011E1969
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D7190	15_2_011D7190
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F31DC	15_2_011F31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DD803	15_2_011DD803
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DE040	15_2_011DE040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D9CF0	15_2_011D9CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F5CEA	15_2_011F5CEA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D48E6	15_2_011D48E6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DCB48	15_2_011DCB48
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E5FC8	15_2_011E5FC8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F6FF0	15_2_011F6FF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DFA30	15_2_011DFA30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D5226	15_2_011D5226
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D5E70	15_2_011D5E70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D8AD7	15_2_011D8AD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D5DBD2	15_2_03D5DBD2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D503DA	15_2_03D503DA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CCABD8	15_2_03CCABD8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CE8BE8	15_2_03CE8BE8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D423E3	15_2_03D423E3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CC138B	15_2_03CC138B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CBEB9A	15_2_03CBEB9A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D3EB8A	15_2_03D3EB8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CCEBB0	15_2_03CCEBB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CBAB40	15_2_03CBAB40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D3CB4F	15_2_03D3CB4F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CB3360	15_2_03CB3360
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CBA309	15_2_03CBA309
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D5231B	15_2_03D5231B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D62B28	15_2_03D62B28
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D5E2C5	15_2_03D5E2C5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D54AEF	15_2_03D54AEF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D622AE	15_2_03D622AE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D632A9	15_2_03D632A9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D55A4F	15_2_03D55A4F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CBB236	15_2_03CBB236
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D4FA2B	15_2_03D4FA2B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CAC1C0	15_2_03CAC1C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CB2990	15_2_03CB2990
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CB99BF	15_2_03CB99BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03C9F900	15_2_03C9F900
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CB4120	15_2_03CB4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D560F5	15_2_03D560F5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D628EC	15_2_03D628EC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CAB090	15_2_03CAB090
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CC20A0	15_2_03CC20A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D620A8	15_2_03D620A8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03C96800	15_2_03C96800
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CC701D	15_2_03CC701D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D51002	15_2_03D51002
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D6E824	15_2_03D6E824
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CBA830	15_2_03CBA830
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D6DFCE	15_2_03D6DFCE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D61FF1	15_2_03D61FF1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D567E2	15_2_03D567E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CC06C0	15_2_03CC06C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D62EF7	15_2_03D62EF7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D41EB6	15_2_03D41EB6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D1AE60	15_2_03D1AE60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D5D616	15_2_03D5D616
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CB5600	15_2_03CB5600
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CB6E30	15_2_03CB6E30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D625DD	15_2_03D625DD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CAD5E0	15_2_03CAD5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CC2581	15_2_03CC2581
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D52D82	15_2_03D52D82
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CC65A0	15_2_03CC65A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D61D55	15_2_03D61D55
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CB2D50	15_2_03CB2D50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D62D07	15_2_03D62D07
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03C90D20	15_2_03C90D20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CC4CD4	15_2_03CC4CD4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D54496	15_2_03D54496

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 03C9B150 appears 150 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 03CED08C appears 48 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 03D25720 appears 75 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0279B150 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0303B150 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041BBD0 appears 38 times

Sample file is different than original file name gathered from version info

Source: oqTdpbN5rF.exe, 00000007.00000002.943119673.0000000007330000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs oqTdpbN5rF.exe
Source: oqTdpbN5rF.exe, 00000007.00000002.943496672.0000000007430000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs oqTdpbN5rF.exe
Source: oqTdpbN5rF.exe, 00000007.00000002.943496672.0000000007430000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs oqTdpbN5rF.exe
Source: oqTdpbN5rF.exe, 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewrqOAYwEoZhXymge.bounce.exe4 vs oqTdpbN5rF.exe

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior

Yara signature match

Source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: oqTdpbN5rF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/0@4/2

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011DC5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,

15_2_011DC5CA

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011FA0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,

15_2_011FA0D2

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1320:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_01

Source: oqTdpbN5rF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: oqTdpbN5rF.exe	Virustotal: Detection: 36%
Source: oqTdpbN5rF.exe	ReversingLabs: Detection: 33%

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

File read: C:\Users\user\Desktop\oqTdpbN5rF.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\oqTdpbN5rF.exe 'C:\Users\user\Desktop\oqTdpbN5rF.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\user\Desktop\oqTdpbN5rF.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: unknown	Process created: C:\Users\user\Desktop\oqTdpbN5rF.exe 'C:\Users\user\Desktop\oqTdpbN5rF.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\user\Desktop\oqTdpbN5rF.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: unknown	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\user\Desktop\oqTdpbN5rF.exe'	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Users\user\Desktop\oqTdpbN5rF.exe 'C:\Users\user\Desktop\oqTdpbN5rF.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\user\Desktop\oqTdpbN5rF.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'	Jump to behavior

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: oqTdpbN5rF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: oqTdpbN5rF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: netstat.pdbGCTL source: RegAsm.exe, 00000009.00000003.721638489.0000000000BB4000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.697777161.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: netstat.pdb source: RegAsm.exe, 00000009.00000003.721638489.0000000000BB4000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000002.00000002.734206923.000000000312F000.00000040.00000001.sdmp, RegAsm.exe, 00000009.00000002.722519275.000000000288F000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.934264462.000000000324F000.00000040.00000001.sdmp, cmd.exe, 0000000F.00000002.734627741.0000000003D8F000.00000040.00000001.sdmp
Source:	Binary string: cmd.pdbUGP source: RegAsm.exe, 00000002.00000003.728759278.0000000001454000.00000004.00000001.sdmp, cmd.exe, 0000000F.00000002.733036849.00000000011D0000.00000040.00000001.sdmp
Source:	Binary string: RegAsm.pdb source: NETSTAT.EXE, 0000000D.00000002.934731949.000000000379F000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, NETSTAT.EXE, 0000000D.00000002.934264462.000000000324F000.00000040.00000001.sdmp, cmd.exe
Source:	Binary string: RegAsm.pdb4 source: NETSTAT.EXE, 0000000D.00000002.934731949.000000000379F000.00000004.00000001.sdmp
Source:	Binary string: cmd.pdb source: RegAsm.exe, 00000002.00000003.728759278.0000000001454000.00000004.00000001.sdmp, cmd.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.697777161.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004169BB push esi; ret	2_2_004169BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040AB07 push ds; retf	2_2_0040AB09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00414E05 push ss; retf	2_2_00414E06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041CEF2 push eax; ret	2_2_0041CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041CEFB push eax; ret	2_2_0041CF62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041CEA5 push eax; ret	2_2_0041CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041CF5C push eax; ret	2_2_0041CF62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0308D0D1 push ecx; ret	2_2_0308D0E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004169BB push esi; ret	9_2_004169BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040AB07 push ds; retf	9_2_0040AB09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00414E05 push ss; retf	9_2_00414E06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041CEF2 push eax; ret	9_2_0041CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041CEFB push eax; ret	9_2_0041CF62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041CEA5 push eax; ret	9_2_0041CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041CF5C push eax; ret	9_2_0041CF62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027ED0D1 push ecx; ret	9_2_027ED0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0300AB07 push ds; retf	13_2_0300AB09
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_030169BB push esi; ret	13_2_030169BC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301CF5C push eax; ret	13_2_0301CF62
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03014E05 push ss; retf	13_2_03014E06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301CEA5 push eax; ret	13_2_0301CEF8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301CEF2 push eax; ret	13_2_0301CEF8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301CEFB push eax; ret	13_2_0301CF62
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E76BD push ecx; ret	15_2_011E76D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E76D1 push ecx; ret	15_2_011E76E4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CED0D1 push ecx; ret	15_2_03CED0E4

Source: initial sample

Static PE information: section name: .text entropy: 7.86101767821

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE5

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 00000000030098E4 second address: 00000000030098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000003009B4E second address: 0000000003009B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 00000000011298E4 second address: 00000000011298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 0000000001129B4E second address: 0000000001129B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00409A80 rdtsc

2_2_00409A80

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Window / User API: threadDelayed 1760			Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Window / User API: threadDelayed 1178			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe TID: 4460	Thread sleep time: -35200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1076	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1076	Thread sleep time: -68000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe TID: 6968	Thread sleep count: 232 > 30	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe TID: 6936	Thread sleep count: 1178 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 4728	Thread sleep time: -65000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F31DC FindFirstFileW,FindNextFileW,FindClose,	15_2_011F31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	15_2_011D85EA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	15_2_011E245C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	15_2_011DB89C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	15_2_011E68BA

Source: explorer.exe, 00000005.00000000.697558905.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.707875576.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.698551469.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.707875576.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000002.945532081.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.708258003.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.697558905.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.697558905.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: oqTdpbN5rF.exe, 00000007.00000002.933799274.0000000000FC4000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:,
Source: explorer.exe, 00000005.00000000.708258003.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000005.00000000.697558905.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00409A80 rdtsc

2_2_00409A80

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_03079A00 NtProtectVirtualMemory,LdrInitializeThunk,

2_2_03079A00

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011F2258 IsDebuggerPresent,

15_2_011F2258

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F131B mov eax, dword ptr fs:[00000030h]	2_2_030F131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303DB40 mov eax, dword ptr fs:[00000030h]	2_2_0303DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03108B58 mov eax, dword ptr fs:[00000030h]	2_2_03108B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303F358 mov eax, dword ptr fs:[00000030h]	2_2_0303F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303DB60 mov ecx, dword ptr fs:[00000030h]	2_2_0303DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03063B7A mov eax, dword ptr fs:[00000030h]	2_2_03063B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03063B7A mov eax, dword ptr fs:[00000030h]	2_2_03063B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F138A mov eax, dword ptr fs:[00000030h]	2_2_030F138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03041B8F mov eax, dword ptr fs:[00000030h]	2_2_03041B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03041B8F mov eax, dword ptr fs:[00000030h]	2_2_03041B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030ED380 mov ecx, dword ptr fs:[00000030h]	2_2_030ED380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062397 mov eax, dword ptr fs:[00000030h]	2_2_03062397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306B390 mov eax, dword ptr fs:[00000030h]	2_2_0306B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03064BAD mov eax, dword ptr fs:[00000030h]	2_2_03064BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03064BAD mov eax, dword ptr fs:[00000030h]	2_2_03064BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03064BAD mov eax, dword ptr fs:[00000030h]	2_2_03064BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03105BA5 mov eax, dword ptr fs:[00000030h]	2_2_03105BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B53CA mov eax, dword ptr fs:[00000030h]	2_2_030B53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B53CA mov eax, dword ptr fs:[00000030h]	2_2_030B53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030603E2 mov eax, dword ptr fs:[00000030h]	2_2_030603E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030603E2 mov eax, dword ptr fs:[00000030h]	2_2_030603E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030603E2 mov eax, dword ptr fs:[00000030h]	2_2_030603E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030603E2 mov eax, dword ptr fs:[00000030h]	2_2_030603E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030603E2 mov eax, dword ptr fs:[00000030h]	2_2_030603E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030603E2 mov eax, dword ptr fs:[00000030h]	2_2_030603E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305DBE9 mov eax, dword ptr fs:[00000030h]	2_2_0305DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03048A0A mov eax, dword ptr fs:[00000030h]	2_2_03048A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03035210 mov eax, dword ptr fs:[00000030h]	2_2_03035210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03035210 mov ecx, dword ptr fs:[00000030h]	2_2_03035210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03035210 mov eax, dword ptr fs:[00000030h]	2_2_03035210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03035210 mov eax, dword ptr fs:[00000030h]	2_2_03035210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303AA16 mov eax, dword ptr fs:[00000030h]	2_2_0303AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303AA16 mov eax, dword ptr fs:[00000030h]	2_2_0303AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03053A1C mov eax, dword ptr fs:[00000030h]	2_2_03053A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FAA16 mov eax, dword ptr fs:[00000030h]	2_2_030FAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FAA16 mov eax, dword ptr fs:[00000030h]	2_2_030FAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03074A2C mov eax, dword ptr fs:[00000030h]	2_2_03074A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03074A2C mov eax, dword ptr fs:[00000030h]	2_2_03074A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039240 mov eax, dword ptr fs:[00000030h]	2_2_03039240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039240 mov eax, dword ptr fs:[00000030h]	2_2_03039240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039240 mov eax, dword ptr fs:[00000030h]	2_2_03039240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039240 mov eax, dword ptr fs:[00000030h]	2_2_03039240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FEA55 mov eax, dword ptr fs:[00000030h]	2_2_030FEA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030C4257 mov eax, dword ptr fs:[00000030h]	2_2_030C4257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030EB260 mov eax, dword ptr fs:[00000030h]	2_2_030EB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030EB260 mov eax, dword ptr fs:[00000030h]	2_2_030EB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03108A62 mov eax, dword ptr fs:[00000030h]	2_2_03108A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0307927A mov eax, dword ptr fs:[00000030h]	2_2_0307927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306D294 mov eax, dword ptr fs:[00000030h]	2_2_0306D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306D294 mov eax, dword ptr fs:[00000030h]	2_2_0306D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030352A5 mov eax, dword ptr fs:[00000030h]	2_2_030352A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030352A5 mov eax, dword ptr fs:[00000030h]	2_2_030352A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030352A5 mov eax, dword ptr fs:[00000030h]	2_2_030352A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030352A5 mov eax, dword ptr fs:[00000030h]	2_2_030352A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030352A5 mov eax, dword ptr fs:[00000030h]	2_2_030352A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0304AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0304AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306FAB0 mov eax, dword ptr fs:[00000030h]	2_2_0306FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062ACB mov eax, dword ptr fs:[00000030h]	2_2_03062ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062AE4 mov eax, dword ptr fs:[00000030h]	2_2_03062AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039100 mov eax, dword ptr fs:[00000030h]	2_2_03039100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039100 mov eax, dword ptr fs:[00000030h]	2_2_03039100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039100 mov eax, dword ptr fs:[00000030h]	2_2_03039100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03054120 mov eax, dword ptr fs:[00000030h]	2_2_03054120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03054120 mov eax, dword ptr fs:[00000030h]	2_2_03054120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03054120 mov eax, dword ptr fs:[00000030h]	2_2_03054120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03054120 mov eax, dword ptr fs:[00000030h]	2_2_03054120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03054120 mov ecx, dword ptr fs:[00000030h]	2_2_03054120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306513A mov eax, dword ptr fs:[00000030h]	2_2_0306513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306513A mov eax, dword ptr fs:[00000030h]	2_2_0306513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305B944 mov eax, dword ptr fs:[00000030h]	2_2_0305B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305B944 mov eax, dword ptr fs:[00000030h]	2_2_0305B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303C962 mov eax, dword ptr fs:[00000030h]	2_2_0303C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303B171 mov eax, dword ptr fs:[00000030h]	2_2_0303B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303B171 mov eax, dword ptr fs:[00000030h]	2_2_0303B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306A185 mov eax, dword ptr fs:[00000030h]	2_2_0306A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305C182 mov eax, dword ptr fs:[00000030h]	2_2_0305C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062990 mov eax, dword ptr fs:[00000030h]	2_2_03062990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030661A0 mov eax, dword ptr fs:[00000030h]	2_2_030661A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030661A0 mov eax, dword ptr fs:[00000030h]	2_2_030661A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B69A6 mov eax, dword ptr fs:[00000030h]	2_2_030B69A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B51BE mov eax, dword ptr fs:[00000030h]	2_2_030B51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B51BE mov eax, dword ptr fs:[00000030h]	2_2_030B51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B51BE mov eax, dword ptr fs:[00000030h]	2_2_030B51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B51BE mov eax, dword ptr fs:[00000030h]	2_2_030B51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0303B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0303B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0303B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030C41E8 mov eax, dword ptr fs:[00000030h]	2_2_030C41E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03104015 mov eax, dword ptr fs:[00000030h]	2_2_03104015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03104015 mov eax, dword ptr fs:[00000030h]	2_2_03104015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B7016 mov eax, dword ptr fs:[00000030h]	2_2_030B7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B7016 mov eax, dword ptr fs:[00000030h]	2_2_030B7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B7016 mov eax, dword ptr fs:[00000030h]	2_2_030B7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306002D mov eax, dword ptr fs:[00000030h]	2_2_0306002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306002D mov eax, dword ptr fs:[00000030h]	2_2_0306002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306002D mov eax, dword ptr fs:[00000030h]	2_2_0306002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306002D mov eax, dword ptr fs:[00000030h]	2_2_0306002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306002D mov eax, dword ptr fs:[00000030h]	2_2_0306002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304B02A mov eax, dword ptr fs:[00000030h]	2_2_0304B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304B02A mov eax, dword ptr fs:[00000030h]	2_2_0304B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304B02A mov eax, dword ptr fs:[00000030h]	2_2_0304B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304B02A mov eax, dword ptr fs:[00000030h]	2_2_0304B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03050050 mov eax, dword ptr fs:[00000030h]	2_2_03050050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03050050 mov eax, dword ptr fs:[00000030h]	2_2_03050050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03101074 mov eax, dword ptr fs:[00000030h]	2_2_03101074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F2073 mov eax, dword ptr fs:[00000030h]	2_2_030F2073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039080 mov eax, dword ptr fs:[00000030h]	2_2_03039080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B3884 mov eax, dword ptr fs:[00000030h]	2_2_030B3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B3884 mov eax, dword ptr fs:[00000030h]	2_2_030B3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030620A0 mov eax, dword ptr fs:[00000030h]	2_2_030620A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030620A0 mov eax, dword ptr fs:[00000030h]	2_2_030620A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030620A0 mov eax, dword ptr fs:[00000030h]	2_2_030620A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030620A0 mov eax, dword ptr fs:[00000030h]	2_2_030620A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030620A0 mov eax, dword ptr fs:[00000030h]	2_2_030620A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030620A0 mov eax, dword ptr fs:[00000030h]	2_2_030620A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030790AF mov eax, dword ptr fs:[00000030h]	2_2_030790AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306F0BF mov ecx, dword ptr fs:[00000030h]	2_2_0306F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306F0BF mov eax, dword ptr fs:[00000030h]	2_2_0306F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306F0BF mov eax, dword ptr fs:[00000030h]	2_2_0306F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_030CB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CB8D0 mov ecx, dword ptr fs:[00000030h]	2_2_030CB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_030CB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_030CB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_030CB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_030CB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030358EC mov eax, dword ptr fs:[00000030h]	2_2_030358EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306A70E mov eax, dword ptr fs:[00000030h]	2_2_0306A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306A70E mov eax, dword ptr fs:[00000030h]	2_2_0306A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305F716 mov eax, dword ptr fs:[00000030h]	2_2_0305F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CFF10 mov eax, dword ptr fs:[00000030h]	2_2_030CFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CFF10 mov eax, dword ptr fs:[00000030h]	2_2_030CFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0310070D mov eax, dword ptr fs:[00000030h]	2_2_0310070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0310070D mov eax, dword ptr fs:[00000030h]	2_2_0310070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03034F2E mov eax, dword ptr fs:[00000030h]	2_2_03034F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03034F2E mov eax, dword ptr fs:[00000030h]	2_2_03034F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306E730 mov eax, dword ptr fs:[00000030h]	2_2_0306E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304EF40 mov eax, dword ptr fs:[00000030h]	2_2_0304EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304FF60 mov eax, dword ptr fs:[00000030h]	2_2_0304FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03108F6A mov eax, dword ptr fs:[00000030h]	2_2_03108F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03048794 mov eax, dword ptr fs:[00000030h]	2_2_03048794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B7794 mov eax, dword ptr fs:[00000030h]	2_2_030B7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B7794 mov eax, dword ptr fs:[00000030h]	2_2_030B7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B7794 mov eax, dword ptr fs:[00000030h]	2_2_030B7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030737F5 mov eax, dword ptr fs:[00000030h]	2_2_030737F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303C600 mov eax, dword ptr fs:[00000030h]	2_2_0303C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303C600 mov eax, dword ptr fs:[00000030h]	2_2_0303C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303C600 mov eax, dword ptr fs:[00000030h]	2_2_0303C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03068E00 mov eax, dword ptr fs:[00000030h]	2_2_03068E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1608 mov eax, dword ptr fs:[00000030h]	2_2_030F1608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306A61C mov eax, dword ptr fs:[00000030h]	2_2_0306A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306A61C mov eax, dword ptr fs:[00000030h]	2_2_0306A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303E620 mov eax, dword ptr fs:[00000030h]	2_2_0303E620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030EFE3F mov eax, dword ptr fs:[00000030h]	2_2_030EFE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03047E41 mov eax, dword ptr fs:[00000030h]	2_2_03047E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03047E41 mov eax, dword ptr fs:[00000030h]	2_2_03047E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03047E41 mov eax, dword ptr fs:[00000030h]	2_2_03047E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03047E41 mov eax, dword ptr fs:[00000030h]	2_2_03047E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03047E41 mov eax, dword ptr fs:[00000030h]	2_2_03047E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03047E41 mov eax, dword ptr fs:[00000030h]	2_2_03047E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FAE44 mov eax, dword ptr fs:[00000030h]	2_2_030FAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FAE44 mov eax, dword ptr fs:[00000030h]	2_2_030FAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304766D mov eax, dword ptr fs:[00000030h]	2_2_0304766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305AE73 mov eax, dword ptr fs:[00000030h]	2_2_0305AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305AE73 mov eax, dword ptr fs:[00000030h]	2_2_0305AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305AE73 mov eax, dword ptr fs:[00000030h]	2_2_0305AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305AE73 mov eax, dword ptr fs:[00000030h]	2_2_0305AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305AE73 mov eax, dword ptr fs:[00000030h]	2_2_0305AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CFE87 mov eax, dword ptr fs:[00000030h]	2_2_030CFE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B46A7 mov eax, dword ptr fs:[00000030h]	2_2_030B46A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03100EA5 mov eax, dword ptr fs:[00000030h]	2_2_03100EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03100EA5 mov eax, dword ptr fs:[00000030h]	2_2_03100EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03100EA5 mov eax, dword ptr fs:[00000030h]	2_2_03100EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03078EC7 mov eax, dword ptr fs:[00000030h]	2_2_03078EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03108ED6 mov eax, dword ptr fs:[00000030h]	2_2_03108ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030636CC mov eax, dword ptr fs:[00000030h]	2_2_030636CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030EFEC0 mov eax, dword ptr fs:[00000030h]	2_2_030EFEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030616E0 mov ecx, dword ptr fs:[00000030h]	2_2_030616E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030476E2 mov eax, dword ptr fs:[00000030h]	2_2_030476E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03108D34 mov eax, dword ptr fs:[00000030h]	2_2_03108D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303AD30 mov eax, dword ptr fs:[00000030h]	2_2_0303AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FE539 mov eax, dword ptr fs:[00000030h]	2_2_030FE539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030BA537 mov eax, dword ptr fs:[00000030h]	2_2_030BA537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03064D3B mov eax, dword ptr fs:[00000030h]	2_2_03064D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03064D3B mov eax, dword ptr fs:[00000030h]	2_2_03064D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03064D3B mov eax, dword ptr fs:[00000030h]	2_2_03064D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03073D43 mov eax, dword ptr fs:[00000030h]	2_2_03073D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B3540 mov eax, dword ptr fs:[00000030h]	2_2_030B3540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03057D50 mov eax, dword ptr fs:[00000030h]	2_2_03057D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305C577 mov eax, dword ptr fs:[00000030h]	2_2_0305C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305C577 mov eax, dword ptr fs:[00000030h]	2_2_0305C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062581 mov eax, dword ptr fs:[00000030h]	2_2_03062581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062581 mov eax, dword ptr fs:[00000030h]	2_2_03062581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062581 mov eax, dword ptr fs:[00000030h]	2_2_03062581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062581 mov eax, dword ptr fs:[00000030h]	2_2_03062581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03032D8A mov eax, dword ptr fs:[00000030h]	2_2_03032D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03032D8A mov eax, dword ptr fs:[00000030h]	2_2_03032D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03032D8A mov eax, dword ptr fs:[00000030h]	2_2_03032D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03032D8A mov eax, dword ptr fs:[00000030h]	2_2_03032D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03032D8A mov eax, dword ptr fs:[00000030h]	2_2_03032D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306FD9B mov eax, dword ptr fs:[00000030h]	2_2_0306FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306FD9B mov eax, dword ptr fs:[00000030h]	2_2_0306FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030635A1 mov eax, dword ptr fs:[00000030h]	2_2_030635A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03061DB5 mov eax, dword ptr fs:[00000030h]	2_2_03061DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03061DB5 mov eax, dword ptr fs:[00000030h]	2_2_03061DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03061DB5 mov eax, dword ptr fs:[00000030h]	2_2_03061DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_031005AC mov eax, dword ptr fs:[00000030h]	2_2_031005AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_031005AC mov eax, dword ptr fs:[00000030h]	2_2_031005AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_030B6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_030B6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_030B6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6DC9 mov ecx, dword ptr fs:[00000030h]	2_2_030B6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_030B6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_030B6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0304D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0304D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_030FFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_030FFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_030FFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_030FFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E8DF1 mov eax, dword ptr fs:[00000030h]	2_2_030E8DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6C0A mov eax, dword ptr fs:[00000030h]	2_2_030B6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6C0A mov eax, dword ptr fs:[00000030h]	2_2_030B6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6C0A mov eax, dword ptr fs:[00000030h]	2_2_030B6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6C0A mov eax, dword ptr fs:[00000030h]	2_2_030B6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0310740D mov eax, dword ptr fs:[00000030h]	2_2_0310740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0310740D mov eax, dword ptr fs:[00000030h]	2_2_0310740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0310740D mov eax, dword ptr fs:[00000030h]	2_2_0310740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306BC2C mov eax, dword ptr fs:[00000030h]	2_2_0306BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306A44B mov eax, dword ptr fs:[00000030h]	2_2_0306A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CC450 mov eax, dword ptr fs:[00000030h]	2_2_030CC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CC450 mov eax, dword ptr fs:[00000030h]	2_2_030CC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305746D mov eax, dword ptr fs:[00000030h]	2_2_0305746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304849B mov eax, dword ptr fs:[00000030h]	2_2_0304849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03108CD6 mov eax, dword ptr fs:[00000030h]	2_2_03108CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F14FB mov eax, dword ptr fs:[00000030h]	2_2_030F14FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6CF0 mov eax, dword ptr fs:[00000030h]	2_2_030B6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6CF0 mov eax, dword ptr fs:[00000030h]	2_2_030B6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6CF0 mov eax, dword ptr fs:[00000030h]	2_2_030B6CF0
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_057301CB mov eax, dword ptr fs:[00000030h]	7_2_057301CB
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_057300AD mov ecx, dword ptr fs:[00000030h]	7_2_057300AD
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_057300AD mov eax, dword ptr fs:[00000030h]	7_2_057300AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D927A mov eax, dword ptr fs:[00000030h]	9_2_027D927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799240 mov eax, dword ptr fs:[00000030h]	9_2_02799240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799240 mov eax, dword ptr fs:[00000030h]	9_2_02799240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799240 mov eax, dword ptr fs:[00000030h]	9_2_02799240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799240 mov eax, dword ptr fs:[00000030h]	9_2_02799240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D4A2C mov eax, dword ptr fs:[00000030h]	9_2_027D4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D4A2C mov eax, dword ptr fs:[00000030h]	9_2_027D4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B3A1C mov eax, dword ptr fs:[00000030h]	9_2_027B3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02795210 mov eax, dword ptr fs:[00000030h]	9_2_02795210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02795210 mov ecx, dword ptr fs:[00000030h]	9_2_02795210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02795210 mov eax, dword ptr fs:[00000030h]	9_2_02795210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02795210 mov eax, dword ptr fs:[00000030h]	9_2_02795210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279AA16 mov eax, dword ptr fs:[00000030h]	9_2_0279AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279AA16 mov eax, dword ptr fs:[00000030h]	9_2_0279AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A8A0A mov eax, dword ptr fs:[00000030h]	9_2_027A8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285AA16 mov eax, dword ptr fs:[00000030h]	9_2_0285AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285AA16 mov eax, dword ptr fs:[00000030h]	9_2_0285AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C2AE4 mov eax, dword ptr fs:[00000030h]	9_2_027C2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C2ACB mov eax, dword ptr fs:[00000030h]	9_2_027C2ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AAAB0 mov eax, dword ptr fs:[00000030h]	9_2_027AAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AAAB0 mov eax, dword ptr fs:[00000030h]	9_2_027AAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CFAB0 mov eax, dword ptr fs:[00000030h]	9_2_027CFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285EA55 mov eax, dword ptr fs:[00000030h]	9_2_0285EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02824257 mov eax, dword ptr fs:[00000030h]	9_2_02824257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027952A5 mov eax, dword ptr fs:[00000030h]	9_2_027952A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027952A5 mov eax, dword ptr fs:[00000030h]	9_2_027952A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027952A5 mov eax, dword ptr fs:[00000030h]	9_2_027952A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027952A5 mov eax, dword ptr fs:[00000030h]	9_2_027952A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027952A5 mov eax, dword ptr fs:[00000030h]	9_2_027952A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0284B260 mov eax, dword ptr fs:[00000030h]	9_2_0284B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0284B260 mov eax, dword ptr fs:[00000030h]	9_2_0284B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02868A62 mov eax, dword ptr fs:[00000030h]	9_2_02868A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CD294 mov eax, dword ptr fs:[00000030h]	9_2_027CD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CD294 mov eax, dword ptr fs:[00000030h]	9_2_027CD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0284D380 mov ecx, dword ptr fs:[00000030h]	9_2_0284D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C3B7A mov eax, dword ptr fs:[00000030h]	9_2_027C3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C3B7A mov eax, dword ptr fs:[00000030h]	9_2_027C3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285138A mov eax, dword ptr fs:[00000030h]	9_2_0285138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279DB60 mov ecx, dword ptr fs:[00000030h]	9_2_0279DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279F358 mov eax, dword ptr fs:[00000030h]	9_2_0279F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02865BA5 mov eax, dword ptr fs:[00000030h]	9_2_02865BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279DB40 mov eax, dword ptr fs:[00000030h]	9_2_0279DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028153CA mov eax, dword ptr fs:[00000030h]	9_2_028153CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028153CA mov eax, dword ptr fs:[00000030h]	9_2_028153CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BDBE9 mov eax, dword ptr fs:[00000030h]	9_2_027BDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285131B mov eax, dword ptr fs:[00000030h]	9_2_0285131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C03E2 mov eax, dword ptr fs:[00000030h]	9_2_027C03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C03E2 mov eax, dword ptr fs:[00000030h]	9_2_027C03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C03E2 mov eax, dword ptr fs:[00000030h]	9_2_027C03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C03E2 mov eax, dword ptr fs:[00000030h]	9_2_027C03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C03E2 mov eax, dword ptr fs:[00000030h]	9_2_027C03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C03E2 mov eax, dword ptr fs:[00000030h]	9_2_027C03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C4BAD mov eax, dword ptr fs:[00000030h]	9_2_027C4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C4BAD mov eax, dword ptr fs:[00000030h]	9_2_027C4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C4BAD mov eax, dword ptr fs:[00000030h]	9_2_027C4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02868B58 mov eax, dword ptr fs:[00000030h]	9_2_02868B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C2397 mov eax, dword ptr fs:[00000030h]	9_2_027C2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CB390 mov eax, dword ptr fs:[00000030h]	9_2_027CB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A1B8F mov eax, dword ptr fs:[00000030h]	9_2_027A1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A1B8F mov eax, dword ptr fs:[00000030h]	9_2_027A1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02813884 mov eax, dword ptr fs:[00000030h]	9_2_02813884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02813884 mov eax, dword ptr fs:[00000030h]	9_2_02813884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B0050 mov eax, dword ptr fs:[00000030h]	9_2_027B0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B0050 mov eax, dword ptr fs:[00000030h]	9_2_027B0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AB02A mov eax, dword ptr fs:[00000030h]	9_2_027AB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AB02A mov eax, dword ptr fs:[00000030h]	9_2_027AB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AB02A mov eax, dword ptr fs:[00000030h]	9_2_027AB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AB02A mov eax, dword ptr fs:[00000030h]	9_2_027AB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C002D mov eax, dword ptr fs:[00000030h]	9_2_027C002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C002D mov eax, dword ptr fs:[00000030h]	9_2_027C002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C002D mov eax, dword ptr fs:[00000030h]	9_2_027C002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C002D mov eax, dword ptr fs:[00000030h]	9_2_027C002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C002D mov eax, dword ptr fs:[00000030h]	9_2_027C002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0282B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282B8D0 mov ecx, dword ptr fs:[00000030h]	9_2_0282B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0282B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0282B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0282B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0282B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02864015 mov eax, dword ptr fs:[00000030h]	9_2_02864015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02864015 mov eax, dword ptr fs:[00000030h]	9_2_02864015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027958EC mov eax, dword ptr fs:[00000030h]	9_2_027958EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02817016 mov eax, dword ptr fs:[00000030h]	9_2_02817016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02817016 mov eax, dword ptr fs:[00000030h]	9_2_02817016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02817016 mov eax, dword ptr fs:[00000030h]	9_2_02817016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CF0BF mov ecx, dword ptr fs:[00000030h]	9_2_027CF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CF0BF mov eax, dword ptr fs:[00000030h]	9_2_027CF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CF0BF mov eax, dword ptr fs:[00000030h]	9_2_027CF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D90AF mov eax, dword ptr fs:[00000030h]	9_2_027D90AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C20A0 mov eax, dword ptr fs:[00000030h]	9_2_027C20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C20A0 mov eax, dword ptr fs:[00000030h]	9_2_027C20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C20A0 mov eax, dword ptr fs:[00000030h]	9_2_027C20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C20A0 mov eax, dword ptr fs:[00000030h]	9_2_027C20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C20A0 mov eax, dword ptr fs:[00000030h]	9_2_027C20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C20A0 mov eax, dword ptr fs:[00000030h]	9_2_027C20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02861074 mov eax, dword ptr fs:[00000030h]	9_2_02861074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02852073 mov eax, dword ptr fs:[00000030h]	9_2_02852073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799080 mov eax, dword ptr fs:[00000030h]	9_2_02799080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279B171 mov eax, dword ptr fs:[00000030h]	9_2_0279B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279B171 mov eax, dword ptr fs:[00000030h]	9_2_0279B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279C962 mov eax, dword ptr fs:[00000030h]	9_2_0279C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028169A6 mov eax, dword ptr fs:[00000030h]	9_2_028169A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BB944 mov eax, dword ptr fs:[00000030h]	9_2_027BB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BB944 mov eax, dword ptr fs:[00000030h]	9_2_027BB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028151BE mov eax, dword ptr fs:[00000030h]	9_2_028151BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028151BE mov eax, dword ptr fs:[00000030h]	9_2_028151BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028151BE mov eax, dword ptr fs:[00000030h]	9_2_028151BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028151BE mov eax, dword ptr fs:[00000030h]	9_2_028151BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C513A mov eax, dword ptr fs:[00000030h]	9_2_027C513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C513A mov eax, dword ptr fs:[00000030h]	9_2_027C513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B4120 mov eax, dword ptr fs:[00000030h]	9_2_027B4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B4120 mov eax, dword ptr fs:[00000030h]	9_2_027B4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B4120 mov eax, dword ptr fs:[00000030h]	9_2_027B4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B4120 mov eax, dword ptr fs:[00000030h]	9_2_027B4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B4120 mov ecx, dword ptr fs:[00000030h]	9_2_027B4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028241E8 mov eax, dword ptr fs:[00000030h]	9_2_028241E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799100 mov eax, dword ptr fs:[00000030h]	9_2_02799100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799100 mov eax, dword ptr fs:[00000030h]	9_2_02799100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799100 mov eax, dword ptr fs:[00000030h]	9_2_02799100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0279B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0279B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0279B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C61A0 mov eax, dword ptr fs:[00000030h]	9_2_027C61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C61A0 mov eax, dword ptr fs:[00000030h]	9_2_027C61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C2990 mov eax, dword ptr fs:[00000030h]	9_2_027C2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CA185 mov eax, dword ptr fs:[00000030h]	9_2_027CA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BC182 mov eax, dword ptr fs:[00000030h]	9_2_027BC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282FE87 mov eax, dword ptr fs:[00000030h]	9_2_0282FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BAE73 mov eax, dword ptr fs:[00000030h]	9_2_027BAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BAE73 mov eax, dword ptr fs:[00000030h]	9_2_027BAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BAE73 mov eax, dword ptr fs:[00000030h]	9_2_027BAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BAE73 mov eax, dword ptr fs:[00000030h]	9_2_027BAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BAE73 mov eax, dword ptr fs:[00000030h]	9_2_027BAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A766D mov eax, dword ptr fs:[00000030h]	9_2_027A766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02860EA5 mov eax, dword ptr fs:[00000030h]	9_2_02860EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02860EA5 mov eax, dword ptr fs:[00000030h]	9_2_02860EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02860EA5 mov eax, dword ptr fs:[00000030h]	9_2_02860EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028146A7 mov eax, dword ptr fs:[00000030h]	9_2_028146A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A7E41 mov eax, dword ptr fs:[00000030h]	9_2_027A7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A7E41 mov eax, dword ptr fs:[00000030h]	9_2_027A7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A7E41 mov eax, dword ptr fs:[00000030h]	9_2_027A7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A7E41 mov eax, dword ptr fs:[00000030h]	9_2_027A7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A7E41 mov eax, dword ptr fs:[00000030h]	9_2_027A7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A7E41 mov eax, dword ptr fs:[00000030h]	9_2_027A7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0284FEC0 mov eax, dword ptr fs:[00000030h]	9_2_0284FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02868ED6 mov eax, dword ptr fs:[00000030h]	9_2_02868ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279E620 mov eax, dword ptr fs:[00000030h]	9_2_0279E620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CA61C mov eax, dword ptr fs:[00000030h]	9_2_027CA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CA61C mov eax, dword ptr fs:[00000030h]	9_2_027CA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279C600 mov eax, dword ptr fs:[00000030h]	9_2_0279C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279C600 mov eax, dword ptr fs:[00000030h]	9_2_0279C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279C600 mov eax, dword ptr fs:[00000030h]	9_2_0279C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C8E00 mov eax, dword ptr fs:[00000030h]	9_2_027C8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851608 mov eax, dword ptr fs:[00000030h]	9_2_02851608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A76E2 mov eax, dword ptr fs:[00000030h]	9_2_027A76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C16E0 mov ecx, dword ptr fs:[00000030h]	9_2_027C16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C36CC mov eax, dword ptr fs:[00000030h]	9_2_027C36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D8EC7 mov eax, dword ptr fs:[00000030h]	9_2_027D8EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0284FE3F mov eax, dword ptr fs:[00000030h]	9_2_0284FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285AE44 mov eax, dword ptr fs:[00000030h]	9_2_0285AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285AE44 mov eax, dword ptr fs:[00000030h]	9_2_0285AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02817794 mov eax, dword ptr fs:[00000030h]	9_2_02817794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02817794 mov eax, dword ptr fs:[00000030h]	9_2_02817794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02817794 mov eax, dword ptr fs:[00000030h]	9_2_02817794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AFF60 mov eax, dword ptr fs:[00000030h]	9_2_027AFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AEF40 mov eax, dword ptr fs:[00000030h]	9_2_027AEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CE730 mov eax, dword ptr fs:[00000030h]	9_2_027CE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02794F2E mov eax, dword ptr fs:[00000030h]	9_2_02794F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02794F2E mov eax, dword ptr fs:[00000030h]	9_2_02794F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BF716 mov eax, dword ptr fs:[00000030h]	9_2_027BF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CA70E mov eax, dword ptr fs:[00000030h]	9_2_027CA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CA70E mov eax, dword ptr fs:[00000030h]	9_2_027CA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D37F5 mov eax, dword ptr fs:[00000030h]	9_2_027D37F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0286070D mov eax, dword ptr fs:[00000030h]	9_2_0286070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0286070D mov eax, dword ptr fs:[00000030h]	9_2_0286070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282FF10 mov eax, dword ptr fs:[00000030h]	9_2_0282FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282FF10 mov eax, dword ptr fs:[00000030h]	9_2_0282FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02868F6A mov eax, dword ptr fs:[00000030h]	9_2_02868F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A8794 mov eax, dword ptr fs:[00000030h]	9_2_027A8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B746D mov eax, dword ptr fs:[00000030h]	9_2_027B746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CA44B mov eax, dword ptr fs:[00000030h]	9_2_027CA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02868CD6 mov eax, dword ptr fs:[00000030h]	9_2_02868CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CBC2C mov eax, dword ptr fs:[00000030h]	9_2_027CBC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816CF0 mov eax, dword ptr fs:[00000030h]	9_2_02816CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816CF0 mov eax, dword ptr fs:[00000030h]	9_2_02816CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816CF0 mov eax, dword ptr fs:[00000030h]	9_2_02816CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028514FB mov eax, dword ptr fs:[00000030h]	9_2_028514FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0286740D mov eax, dword ptr fs:[00000030h]	9_2_0286740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0286740D mov eax, dword ptr fs:[00000030h]	9_2_0286740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0286740D mov eax, dword ptr fs:[00000030h]	9_2_0286740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816C0A mov eax, dword ptr fs:[00000030h]	9_2_02816C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816C0A mov eax, dword ptr fs:[00000030h]	9_2_02816C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816C0A mov eax, dword ptr fs:[00000030h]	9_2_02816C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816C0A mov eax, dword ptr fs:[00000030h]	9_2_02816C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282C450 mov eax, dword ptr fs:[00000030h]	9_2_0282C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282C450 mov eax, dword ptr fs:[00000030h]	9_2_0282C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A849B mov eax, dword ptr fs:[00000030h]	9_2_027A849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BC577 mov eax, dword ptr fs:[00000030h]	9_2_027BC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BC577 mov eax, dword ptr fs:[00000030h]	9_2_027BC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028605AC mov eax, dword ptr fs:[00000030h]	9_2_028605AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028605AC mov eax, dword ptr fs:[00000030h]	9_2_028605AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B7D50 mov eax, dword ptr fs:[00000030h]	9_2_027B7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D3D43 mov eax, dword ptr fs:[00000030h]	9_2_027D3D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C4D3B mov eax, dword ptr fs:[00000030h]	9_2_027C4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C4D3B mov eax, dword ptr fs:[00000030h]	9_2_027C4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C4D3B mov eax, dword ptr fs:[00000030h]	9_2_027C4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816DC9 mov eax, dword ptr fs:[00000030h]	9_2_02816DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816DC9 mov eax, dword ptr fs:[00000030h]	9_2_02816DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816DC9 mov eax, dword ptr fs:[00000030h]	9_2_02816DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816DC9 mov ecx, dword ptr fs:[00000030h]	9_2_02816DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816DC9 mov eax, dword ptr fs:[00000030h]	9_2_02816DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816DC9 mov eax, dword ptr fs:[00000030h]	9_2_02816DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279AD30 mov eax, dword ptr fs:[00000030h]	9_2_0279AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A3D34 mov eax, dword ptr fs:[00000030h]	9_2_027A3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A3D34 mov eax, dword ptr fs:[00000030h]	9_2_027A3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A3D34 mov eax, dword ptr fs:[00000030h]	9_2_027A3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A3D34 mov eax, dword ptr fs:[00000030h]	9_2_027A3D34

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011F1914 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap,

15_2_011F1914

Enables debug privileges

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E7310 SetUnhandledExceptionFilter,		15_2_011E7310
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E6FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		15_2_011E6FE3

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 81.17.18.197 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.252.192.7 80			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 3424	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 11D0000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 310000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 10EC008			Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 696008			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\user\Desktop\oqTdpbN5rF.exe'	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Users\user\Desktop\oqTdpbN5rF.exe 'C:\Users\user\Desktop\oqTdpbN5rF.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\user\Desktop\oqTdpbN5rF.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'	Jump to behavior

Source: explorer.exe, 00000005.00000002.933139728.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000002.933948120.0000000001080000.00000002.00000001.sdmp, oqTdpbN5rF.exe, 00000007.00000002.934354792.0000000001780000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.934837676.00000000041F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000002.933948120.0000000001080000.00000002.00000001.sdmp, oqTdpbN5rF.exe, 00000007.00000002.934354792.0000000001780000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.934837676.00000000041F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.933948120.0000000001080000.00000002.00000001.sdmp, oqTdpbN5rF.exe, 00000007.00000002.934354792.0000000001780000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.934837676.00000000041F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000002.933948120.0000000001080000.00000002.00000001.sdmp, oqTdpbN5rF.exe, 00000007.00000002.934354792.0000000001780000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.934837676.00000000041F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.708258003.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	15_2_011E3F80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	15_2_011D96A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	15_2_011D5AEF

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Queries volume information: C:\Users\user\Desktop\oqTdpbN5rF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Queries volume information: C:\Users\user\Desktop\oqTdpbN5rF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011E7513 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

15_2_011E7513

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011D443C GetVersion,

15_2_011D443C

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.252.192.7	unknown	United States		18779	EGIHOSTINGUS	true
81.17.18.197	unknown	Switzerland		51852	PLI-ASCH	true

Contacted Domains

Name	IP	Active
www.iqftomatoes.com	52.58.78.16	true
www.bikininbodymommy.com	81.17.18.197	true
www.buyiprod.com	104.252.192.7	true
www.camera-kento.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.buyiprod.com/kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=F7U1ZxCjw0QXGNF8VmzdEObB3hNcDi5za+FuEorWYUt6zFjVN/aD/y1X6yN+u1VrnSag	true	Avira URL Cloud: safe	unknown
http://www.bikininbodymommy.com/kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=nwMujlop9k/e7RKxDV6F2DOpfZu+NAvKA+XHz2bBew91D/bKU35KPyupQFDW23mxRXA2	true	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: oqTdpbN5rF.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: oqTdpbN5rF.exe	Virustotal: Detection: 36%			Perma Link
Source: oqTdpbN5rF.exe	ReversingLabs: Detection: 33%

Yara detected FormBook

Source: Yara match	File source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: oqTdpbN5rF.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F31DC FindFirstFileW,FindNextFileW,FindClose,	15_2_011F31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	15_2_011D85EA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	15_2_011E245C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	15_2_011DB89C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	15_2_011E68BA

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then pop esi	2_2_00417295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then pop esi	2_2_004172A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then pop esi	9_2_00417295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then pop esi	9_2_004172A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop esi	13_2_03017295
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop esi	13_2_030172A5

Networking:

Uses netstat to query active network connections and open ports

Source: unknown

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=nwMujlop9k/e7RKxDV6F2DOpfZu+NAvKA+XHz2bBew91D/bKU35KPyupQFDW23mxRXA2 HTTP/1.1Host: www.bikininbodymommy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=F7U1ZxCjw0QXGNF8VmzdEObB3hNcDi5za+FuEorWYUt6zFjVN/aD/y1X6yN+u1VrnSag HTTP/1.1Host: www.buyiprod.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 81.17.18.197 81.17.18.197

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View	ASN Name: PLI-ASCH PLI-ASCH

Source: global traffic	HTTP traffic detected: GET /kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=nwMujlop9k/e7RKxDV6F2DOpfZu+NAvKA+XHz2bBew91D/bKU35KPyupQFDW23mxRXA2 HTTP/1.1Host: www.bikininbodymommy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=F7U1ZxCjw0QXGNF8VmzdEObB3hNcDi5za+FuEorWYUt6zFjVN/aD/y1X6yN+u1VrnSag HTTP/1.1Host: www.buyiprod.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.bikininbodymommy.com

Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000005.00000000.684955436.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.710214962.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419D50 NtCreateFile,	2_2_00419D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419E00 NtReadFile,	2_2_00419E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419E80 NtClose,	2_2_00419E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419F30 NtAllocateVirtualMemory,	2_2_00419F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419D4B NtCreateFile,	2_2_00419D4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419DFE NtReadFile,	2_2_00419DFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419DA4 NtCreateFile,	2_2_00419DA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419E7A NtClose,	2_2_00419E7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419F2B NtAllocateVirtualMemory,	2_2_00419F2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03079A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079A20 NtResumeThread,LdrInitializeThunk,	2_2_03079A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079A50 NtCreateFile,LdrInitializeThunk,	2_2_03079A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03079910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030799A0 NtCreateSection,LdrInitializeThunk,	2_2_030799A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079840 NtDelayExecution,LdrInitializeThunk,	2_2_03079840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03079860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030798F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_030798F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079710 NtQueryInformationToken,LdrInitializeThunk,	2_2_03079710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079780 NtMapViewOfSection,LdrInitializeThunk,	2_2_03079780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030797A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_030797A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03079660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030796E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_030796E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079540 NtReadFile,LdrInitializeThunk,	2_2_03079540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030795D0 NtClose,LdrInitializeThunk,	2_2_030795D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079B00 NtSetValueKey,	2_2_03079B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0307A3B0 NtGetContextThread,	2_2_0307A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079A10 NtQuerySection,	2_2_03079A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079A80 NtOpenDirectoryObject,	2_2_03079A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079950 NtQueueApcThread,	2_2_03079950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030799D0 NtCreateProcessEx,	2_2_030799D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079820 NtEnumerateKey,	2_2_03079820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0307B040 NtSuspendThread,	2_2_0307B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030798A0 NtWriteVirtualMemory,	2_2_030798A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0307A710 NtOpenProcessToken,	2_2_0307A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079730 NtQueryVirtualMemory,	2_2_03079730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079760 NtOpenProcess,	2_2_03079760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079770 NtSetInformationFile,	2_2_03079770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0307A770 NtOpenThread,	2_2_0307A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079FE0 NtCreateMutant,	2_2_03079FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079610 NtEnumerateValueKey,	2_2_03079610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079650 NtQueryValueKey,	2_2_03079650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079670 NtQueryInformationProcess,	2_2_03079670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030796D0 NtCreateKey,	2_2_030796D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079520 NtWaitForSingleObject,	2_2_03079520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0307AD30 NtSetContextThread,	2_2_0307AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03079560 NtWriteFile,	2_2_03079560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030795F0 NtQueryInformationFile,	2_2_030795F0
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_05731C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,	7_2_05731C09
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_057300AD NtOpenSection,NtMapViewOfSection,	7_2_057300AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419D50 NtCreateFile,	9_2_00419D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419E00 NtReadFile,	9_2_00419E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419E80 NtClose,	9_2_00419E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419F30 NtAllocateVirtualMemory,	9_2_00419F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419D4B NtCreateFile,	9_2_00419D4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419DFE NtReadFile,	9_2_00419DFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419DA4 NtCreateFile,	9_2_00419DA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419E7A NtClose,	9_2_00419E7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00419F2B NtAllocateVirtualMemory,	9_2_00419F2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9A50 NtCreateFile,LdrInitializeThunk,	9_2_027D9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9A20 NtResumeThread,LdrInitializeThunk,	9_2_027D9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9A00 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_027D9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_027D9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9840 NtDelayExecution,LdrInitializeThunk,	9_2_027D9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D98F0 NtReadVirtualMemory,LdrInitializeThunk,	9_2_027D98F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_027D9910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D99A0 NtCreateSection,LdrInitializeThunk,	9_2_027D99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_027D9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_027D96E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9710 NtQueryInformationToken,LdrInitializeThunk,	9_2_027D9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D97A0 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_027D97A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9780 NtMapViewOfSection,LdrInitializeThunk,	9_2_027D9780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9540 NtReadFile,LdrInitializeThunk,	9_2_027D9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D95D0 NtClose,LdrInitializeThunk,	9_2_027D95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9A10 NtQuerySection,	9_2_027D9A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9A80 NtOpenDirectoryObject,	9_2_027D9A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9B00 NtSetValueKey,	9_2_027D9B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027DA3B0 NtGetContextThread,	9_2_027DA3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027DB040 NtSuspendThread,	9_2_027DB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9820 NtEnumerateKey,	9_2_027D9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D98A0 NtWriteVirtualMemory,	9_2_027D98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9950 NtQueueApcThread,	9_2_027D9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D99D0 NtCreateProcessEx,	9_2_027D99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9670 NtQueryInformationProcess,	9_2_027D9670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9650 NtQueryValueKey,	9_2_027D9650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9610 NtEnumerateValueKey,	9_2_027D9610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D96D0 NtCreateKey,	9_2_027D96D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9770 NtSetInformationFile,	9_2_027D9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027DA770 NtOpenThread,	9_2_027DA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9760 NtOpenProcess,	9_2_027D9760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9730 NtQueryVirtualMemory,	9_2_027D9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027DA710 NtOpenProcessToken,	9_2_027DA710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9FE0 NtCreateMutant,	9_2_027D9FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9560 NtWriteFile,	9_2_027D9560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027DAD30 NtSetContextThread,	9_2_027DAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D9520 NtWaitForSingleObject,	9_2_027D9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D95F0 NtQueryInformationFile,	9_2_027D95F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019F30 NtAllocateVirtualMemory,	13_2_03019F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019E00 NtReadFile,	13_2_03019E00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019E80 NtClose,	13_2_03019E80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019D50 NtCreateFile,	13_2_03019D50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019F2B NtAllocateVirtualMemory,	13_2_03019F2B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019E7A NtClose,	13_2_03019E7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019D4B NtCreateFile,	13_2_03019D4B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019DA4 NtCreateFile,	13_2_03019DA4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03019DFE NtReadFile,	13_2_03019DFE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	15_2_011F6D90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011FB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	15_2_011FB5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DB42E NtOpenThreadToken,NtOpenProcessToken,NtClose,	15_2_011DB42E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	15_2_011D84BE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	15_2_011D58A4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DB4C0 NtQueryInformationToken,	15_2_011DB4C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DB4F8 NtQueryInformationToken,NtQueryInformationToken,	15_2_011DB4F8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	15_2_011D83F2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F9AB4 NtSetInformationFile,	15_2_011F9AB4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_03CD9910
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9860 NtQuerySystemInformation,LdrInitializeThunk,	15_2_03CD9860
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9FE0 NtCreateMutant,LdrInitializeThunk,	15_2_03CD9FE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD96E0 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_03CD96E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CDA3B0 NtGetContextThread,	15_2_03CDA3B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9B00 NtSetValueKey,	15_2_03CD9B00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9A80 NtOpenDirectoryObject,	15_2_03CD9A80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9A50 NtCreateFile,	15_2_03CD9A50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9A00 NtProtectVirtualMemory,	15_2_03CD9A00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9A10 NtQuerySection,	15_2_03CD9A10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9A20 NtResumeThread,	15_2_03CD9A20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD99D0 NtCreateProcessEx,	15_2_03CD99D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD99A0 NtCreateSection,	15_2_03CD99A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9950 NtQueueApcThread,	15_2_03CD9950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD98F0 NtReadVirtualMemory,	15_2_03CD98F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD98A0 NtWriteVirtualMemory,	15_2_03CD98A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CDB040 NtSuspendThread,	15_2_03CDB040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9840 NtDelayExecution,	15_2_03CD9840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9820 NtEnumerateKey,	15_2_03CD9820
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9780 NtMapViewOfSection,	15_2_03CD9780
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD97A0 NtUnmapViewOfSection,	15_2_03CD97A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9760 NtOpenProcess,	15_2_03CD9760
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CDA770 NtOpenThread,	15_2_03CDA770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9770 NtSetInformationFile,	15_2_03CD9770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9710 NtQueryInformationToken,	15_2_03CD9710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CDA710 NtOpenProcessToken,	15_2_03CDA710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9730 NtQueryVirtualMemory,	15_2_03CD9730
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD96D0 NtCreateKey,	15_2_03CD96D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9650 NtQueryValueKey,	15_2_03CD9650
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9660 NtAllocateVirtualMemory,	15_2_03CD9660
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9670 NtQueryInformationProcess,	15_2_03CD9670
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9610 NtEnumerateValueKey,	15_2_03CD9610
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD95D0 NtClose,	15_2_03CD95D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD95F0 NtQueryInformationFile,	15_2_03CD95F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9540 NtReadFile,	15_2_03CD9540
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9560 NtWriteFile,	15_2_03CD9560
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CD9520 NtWaitForSingleObject,	15_2_03CD9520
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CDAD30 NtSetContextThread,	15_2_03CDAD30

Contains functionality to communicate with device drivers

Source: C:\Windows\SysWOW64\cmd.exe

15_2_011E6550

Contains functionality to launch a process as a different user

Source: C:\Windows\SysWOW64\cmd.exe

15_2_011E374E

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041D906	2_2_0041D906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041DB32	2_2_0041DB32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041DBA5	2_2_0041DBA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041E5ED	2_2_0041E5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041DE55	2_2_0041DE55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409E2C	2_2_00409E2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409E30	2_2_00409E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041DF6E	2_2_0041DF6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041D781	2_2_0041D781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041CF93	2_2_0041CF93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03102B28	2_2_03102B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306EBB0	2_2_0306EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FDBD2	2_2_030FDBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_031022AE	2_2_031022AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303F900	2_2_0303F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03054120	2_2_03054120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1002	2_2_030F1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0310E824	2_2_0310E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304B090	2_2_0304B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030620A0	2_2_030620A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_031020A8	2_2_031020A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_031028EC	2_2_031028EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03101FF1	2_2_03101FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FD616	2_2_030FD616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03056E30	2_2_03056E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03102EF7	2_2_03102EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03102D07	2_2_03102D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03030D20	2_2_03030D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03101D55	2_2_03101D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062581	2_2_03062581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_031025DD	2_2_031025DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304D5E0	2_2_0304D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304841F	2_2_0304841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FD466	2_2_030FD466
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_009BB692	7_2_009BB692
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_009BB70D	7_2_009BB70D
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_009BAAA2	7_2_009BAAA2
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_009BB6E6	7_2_009BB6E6
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_010D04E1	7_2_010D04E1
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_010D04F0	7_2_010D04F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041D906	9_2_0041D906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041DB32	9_2_0041DB32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041DBA5	9_2_0041DBA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041E5ED	9_2_0041E5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041DE55	9_2_0041DE55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00409E2C	9_2_00409E2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00409E30	9_2_00409E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041DF6E	9_2_0041DF6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041D781	9_2_0041D781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041CF93	9_2_0041CF93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028622AE	9_2_028622AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285DBD2	9_2_0285DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02862B28	9_2_02862B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CEBB0	9_2_027CEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028620A8	9_2_028620A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028628EC	9_2_028628EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851002	9_2_02851002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C20A0	9_2_027C20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AB090	9_2_027AB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B4120	9_2_027B4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279F900	9_2_0279F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B6E30	9_2_027B6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02862EF7	9_2_02862EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285D616	9_2_0285D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02861FF1	9_2_02861FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A841F	9_2_027A841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285D466	9_2_0285D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02790D20	9_2_02790D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028625DD	9_2_028625DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02862D07	9_2_02862D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AD5E0	9_2_027AD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02861D55	9_2_02861D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C2581	9_2_027C2581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301DF6E	13_2_0301DF6E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301D781	13_2_0301D781
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301CF93	13_2_0301CF93
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03002FB0	13_2_03002FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03009E2C	13_2_03009E2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03009E30	13_2_03009E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301DE55	13_2_0301DE55
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03002D90	13_2_03002D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301E5ED	13_2_0301E5ED
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F3506	15_2_011F3506
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E6550	15_2_011E6550
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E1969	15_2_011E1969
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D7190	15_2_011D7190
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F31DC	15_2_011F31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DD803	15_2_011DD803
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DE040	15_2_011DE040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D9CF0	15_2_011D9CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F5CEA	15_2_011F5CEA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D48E6	15_2_011D48E6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DCB48	15_2_011DCB48
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E5FC8	15_2_011E5FC8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F6FF0	15_2_011F6FF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DFA30	15_2_011DFA30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D5226	15_2_011D5226
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D5E70	15_2_011D5E70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D8AD7	15_2_011D8AD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D5DBD2	15_2_03D5DBD2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D503DA	15_2_03D503DA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CCABD8	15_2_03CCABD8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CE8BE8	15_2_03CE8BE8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D423E3	15_2_03D423E3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CC138B	15_2_03CC138B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CBEB9A	15_2_03CBEB9A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D3EB8A	15_2_03D3EB8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CCEBB0	15_2_03CCEBB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CBAB40	15_2_03CBAB40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D3CB4F	15_2_03D3CB4F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CB3360	15_2_03CB3360
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CBA309	15_2_03CBA309
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D5231B	15_2_03D5231B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D62B28	15_2_03D62B28
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D5E2C5	15_2_03D5E2C5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D54AEF	15_2_03D54AEF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D622AE	15_2_03D622AE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D632A9	15_2_03D632A9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D55A4F	15_2_03D55A4F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CBB236	15_2_03CBB236
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D4FA2B	15_2_03D4FA2B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CAC1C0	15_2_03CAC1C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CB2990	15_2_03CB2990
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CB99BF	15_2_03CB99BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03C9F900	15_2_03C9F900
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CB4120	15_2_03CB4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D560F5	15_2_03D560F5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D628EC	15_2_03D628EC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CAB090	15_2_03CAB090
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CC20A0	15_2_03CC20A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D620A8	15_2_03D620A8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03C96800	15_2_03C96800
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CC701D	15_2_03CC701D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D51002	15_2_03D51002
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D6E824	15_2_03D6E824
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CBA830	15_2_03CBA830
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D6DFCE	15_2_03D6DFCE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D61FF1	15_2_03D61FF1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D567E2	15_2_03D567E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CC06C0	15_2_03CC06C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D62EF7	15_2_03D62EF7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D41EB6	15_2_03D41EB6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D1AE60	15_2_03D1AE60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D5D616	15_2_03D5D616
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CB5600	15_2_03CB5600
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CB6E30	15_2_03CB6E30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D625DD	15_2_03D625DD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CAD5E0	15_2_03CAD5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CC2581	15_2_03CC2581
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D52D82	15_2_03D52D82
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CC65A0	15_2_03CC65A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D61D55	15_2_03D61D55
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CB2D50	15_2_03CB2D50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D62D07	15_2_03D62D07
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03C90D20	15_2_03C90D20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CC4CD4	15_2_03CC4CD4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03D54496	15_2_03D54496

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 03C9B150 appears 150 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 03CED08C appears 48 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 03D25720 appears 75 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0279B150 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0303B150 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041BBD0 appears 38 times

Sample file is different than original file name gathered from version info

Source: oqTdpbN5rF.exe, 00000007.00000002.943119673.0000000007330000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs oqTdpbN5rF.exe
Source: oqTdpbN5rF.exe, 00000007.00000002.943496672.0000000007430000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs oqTdpbN5rF.exe
Source: oqTdpbN5rF.exe, 00000007.00000002.943496672.0000000007430000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs oqTdpbN5rF.exe
Source: oqTdpbN5rF.exe, 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewrqOAYwEoZhXymge.bounce.exe4 vs oqTdpbN5rF.exe

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior

Yara signature match

Source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: oqTdpbN5rF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/0@4/2

Source: C:\Windows\SysWOW64\cmd.exe

15_2_011DC5CA

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011FA0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,

15_2_011FA0D2

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1320:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_01

Source: oqTdpbN5rF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: oqTdpbN5rF.exe	Virustotal: Detection: 36%
Source: oqTdpbN5rF.exe	ReversingLabs: Detection: 33%

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

File read: C:\Users\user\Desktop\oqTdpbN5rF.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\oqTdpbN5rF.exe 'C:\Users\user\Desktop\oqTdpbN5rF.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\user\Desktop\oqTdpbN5rF.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: unknown	Process created: C:\Users\user\Desktop\oqTdpbN5rF.exe 'C:\Users\user\Desktop\oqTdpbN5rF.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\user\Desktop\oqTdpbN5rF.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: unknown	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\user\Desktop\oqTdpbN5rF.exe'	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Users\user\Desktop\oqTdpbN5rF.exe 'C:\Users\user\Desktop\oqTdpbN5rF.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\user\Desktop\oqTdpbN5rF.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'	Jump to behavior

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: oqTdpbN5rF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: oqTdpbN5rF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: netstat.pdbGCTL source: RegAsm.exe, 00000009.00000003.721638489.0000000000BB4000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.697777161.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: netstat.pdb source: RegAsm.exe, 00000009.00000003.721638489.0000000000BB4000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000002.00000002.734206923.000000000312F000.00000040.00000001.sdmp, RegAsm.exe, 00000009.00000002.722519275.000000000288F000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.934264462.000000000324F000.00000040.00000001.sdmp, cmd.exe, 0000000F.00000002.734627741.0000000003D8F000.00000040.00000001.sdmp
Source:	Binary string: cmd.pdbUGP source: RegAsm.exe, 00000002.00000003.728759278.0000000001454000.00000004.00000001.sdmp, cmd.exe, 0000000F.00000002.733036849.00000000011D0000.00000040.00000001.sdmp
Source:	Binary string: RegAsm.pdb source: NETSTAT.EXE, 0000000D.00000002.934731949.000000000379F000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, NETSTAT.EXE, 0000000D.00000002.934264462.000000000324F000.00000040.00000001.sdmp, cmd.exe
Source:	Binary string: RegAsm.pdb4 source: NETSTAT.EXE, 0000000D.00000002.934731949.000000000379F000.00000004.00000001.sdmp
Source:	Binary string: cmd.pdb source: RegAsm.exe, 00000002.00000003.728759278.0000000001454000.00000004.00000001.sdmp, cmd.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.697777161.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004169BB push esi; ret	2_2_004169BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040AB07 push ds; retf	2_2_0040AB09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00414E05 push ss; retf	2_2_00414E06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041CEF2 push eax; ret	2_2_0041CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041CEFB push eax; ret	2_2_0041CF62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041CEA5 push eax; ret	2_2_0041CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041CF5C push eax; ret	2_2_0041CF62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0308D0D1 push ecx; ret	2_2_0308D0E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004169BB push esi; ret	9_2_004169BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040AB07 push ds; retf	9_2_0040AB09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00414E05 push ss; retf	9_2_00414E06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041CEF2 push eax; ret	9_2_0041CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041CEFB push eax; ret	9_2_0041CF62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041CEA5 push eax; ret	9_2_0041CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041CF5C push eax; ret	9_2_0041CF62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027ED0D1 push ecx; ret	9_2_027ED0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0300AB07 push ds; retf	13_2_0300AB09
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_030169BB push esi; ret	13_2_030169BC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301CF5C push eax; ret	13_2_0301CF62
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_03014E05 push ss; retf	13_2_03014E06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301CEA5 push eax; ret	13_2_0301CEF8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301CEF2 push eax; ret	13_2_0301CEF8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 13_2_0301CEFB push eax; ret	13_2_0301CF62
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E76BD push ecx; ret	15_2_011E76D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E76D1 push ecx; ret	15_2_011E76E4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03CED0D1 push ecx; ret	15_2_03CED0E4

Source: initial sample

Static PE information: section name: .text entropy: 7.86101767821

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE5

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 00000000030098E4 second address: 00000000030098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000003009B4E second address: 0000000003009B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 00000000011298E4 second address: 00000000011298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 0000000001129B4E second address: 0000000001129B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00409A80 rdtsc

2_2_00409A80

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Window / User API: threadDelayed 1760			Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Window / User API: threadDelayed 1178			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe TID: 4460	Thread sleep time: -35200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1076	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1076	Thread sleep time: -68000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe TID: 6968	Thread sleep count: 232 > 30	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe TID: 6936	Thread sleep count: 1178 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 4728	Thread sleep time: -65000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F31DC FindFirstFileW,FindNextFileW,FindClose,	15_2_011F31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	15_2_011D85EA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	15_2_011E245C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	15_2_011DB89C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	15_2_011E68BA

Source: explorer.exe, 00000005.00000000.697558905.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.707875576.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.698551469.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.707875576.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000002.945532081.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.708258003.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.697558905.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.697558905.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: oqTdpbN5rF.exe, 00000007.00000002.933799274.0000000000FC4000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:,
Source: explorer.exe, 00000005.00000000.708258003.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000005.00000000.697558905.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00409A80 rdtsc

2_2_00409A80

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_03079A00 NtProtectVirtualMemory,LdrInitializeThunk,

2_2_03079A00

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011F2258 IsDebuggerPresent,

15_2_011F2258

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F131B mov eax, dword ptr fs:[00000030h]	2_2_030F131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303DB40 mov eax, dword ptr fs:[00000030h]	2_2_0303DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03108B58 mov eax, dword ptr fs:[00000030h]	2_2_03108B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303F358 mov eax, dword ptr fs:[00000030h]	2_2_0303F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303DB60 mov ecx, dword ptr fs:[00000030h]	2_2_0303DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03063B7A mov eax, dword ptr fs:[00000030h]	2_2_03063B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03063B7A mov eax, dword ptr fs:[00000030h]	2_2_03063B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F138A mov eax, dword ptr fs:[00000030h]	2_2_030F138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03041B8F mov eax, dword ptr fs:[00000030h]	2_2_03041B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03041B8F mov eax, dword ptr fs:[00000030h]	2_2_03041B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030ED380 mov ecx, dword ptr fs:[00000030h]	2_2_030ED380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062397 mov eax, dword ptr fs:[00000030h]	2_2_03062397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306B390 mov eax, dword ptr fs:[00000030h]	2_2_0306B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03064BAD mov eax, dword ptr fs:[00000030h]	2_2_03064BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03064BAD mov eax, dword ptr fs:[00000030h]	2_2_03064BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03064BAD mov eax, dword ptr fs:[00000030h]	2_2_03064BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03105BA5 mov eax, dword ptr fs:[00000030h]	2_2_03105BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B53CA mov eax, dword ptr fs:[00000030h]	2_2_030B53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B53CA mov eax, dword ptr fs:[00000030h]	2_2_030B53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030603E2 mov eax, dword ptr fs:[00000030h]	2_2_030603E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030603E2 mov eax, dword ptr fs:[00000030h]	2_2_030603E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030603E2 mov eax, dword ptr fs:[00000030h]	2_2_030603E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030603E2 mov eax, dword ptr fs:[00000030h]	2_2_030603E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030603E2 mov eax, dword ptr fs:[00000030h]	2_2_030603E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030603E2 mov eax, dword ptr fs:[00000030h]	2_2_030603E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305DBE9 mov eax, dword ptr fs:[00000030h]	2_2_0305DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03048A0A mov eax, dword ptr fs:[00000030h]	2_2_03048A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03035210 mov eax, dword ptr fs:[00000030h]	2_2_03035210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03035210 mov ecx, dword ptr fs:[00000030h]	2_2_03035210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03035210 mov eax, dword ptr fs:[00000030h]	2_2_03035210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03035210 mov eax, dword ptr fs:[00000030h]	2_2_03035210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303AA16 mov eax, dword ptr fs:[00000030h]	2_2_0303AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303AA16 mov eax, dword ptr fs:[00000030h]	2_2_0303AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03053A1C mov eax, dword ptr fs:[00000030h]	2_2_03053A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FAA16 mov eax, dword ptr fs:[00000030h]	2_2_030FAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FAA16 mov eax, dword ptr fs:[00000030h]	2_2_030FAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03074A2C mov eax, dword ptr fs:[00000030h]	2_2_03074A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03074A2C mov eax, dword ptr fs:[00000030h]	2_2_03074A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039240 mov eax, dword ptr fs:[00000030h]	2_2_03039240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039240 mov eax, dword ptr fs:[00000030h]	2_2_03039240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039240 mov eax, dword ptr fs:[00000030h]	2_2_03039240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039240 mov eax, dword ptr fs:[00000030h]	2_2_03039240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FEA55 mov eax, dword ptr fs:[00000030h]	2_2_030FEA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030C4257 mov eax, dword ptr fs:[00000030h]	2_2_030C4257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030EB260 mov eax, dword ptr fs:[00000030h]	2_2_030EB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030EB260 mov eax, dword ptr fs:[00000030h]	2_2_030EB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03108A62 mov eax, dword ptr fs:[00000030h]	2_2_03108A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0307927A mov eax, dword ptr fs:[00000030h]	2_2_0307927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306D294 mov eax, dword ptr fs:[00000030h]	2_2_0306D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306D294 mov eax, dword ptr fs:[00000030h]	2_2_0306D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030352A5 mov eax, dword ptr fs:[00000030h]	2_2_030352A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030352A5 mov eax, dword ptr fs:[00000030h]	2_2_030352A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030352A5 mov eax, dword ptr fs:[00000030h]	2_2_030352A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030352A5 mov eax, dword ptr fs:[00000030h]	2_2_030352A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030352A5 mov eax, dword ptr fs:[00000030h]	2_2_030352A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0304AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0304AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306FAB0 mov eax, dword ptr fs:[00000030h]	2_2_0306FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062ACB mov eax, dword ptr fs:[00000030h]	2_2_03062ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062AE4 mov eax, dword ptr fs:[00000030h]	2_2_03062AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039100 mov eax, dword ptr fs:[00000030h]	2_2_03039100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039100 mov eax, dword ptr fs:[00000030h]	2_2_03039100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039100 mov eax, dword ptr fs:[00000030h]	2_2_03039100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03054120 mov eax, dword ptr fs:[00000030h]	2_2_03054120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03054120 mov eax, dword ptr fs:[00000030h]	2_2_03054120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03054120 mov eax, dword ptr fs:[00000030h]	2_2_03054120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03054120 mov eax, dword ptr fs:[00000030h]	2_2_03054120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03054120 mov ecx, dword ptr fs:[00000030h]	2_2_03054120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306513A mov eax, dword ptr fs:[00000030h]	2_2_0306513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306513A mov eax, dword ptr fs:[00000030h]	2_2_0306513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305B944 mov eax, dword ptr fs:[00000030h]	2_2_0305B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305B944 mov eax, dword ptr fs:[00000030h]	2_2_0305B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303C962 mov eax, dword ptr fs:[00000030h]	2_2_0303C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303B171 mov eax, dword ptr fs:[00000030h]	2_2_0303B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303B171 mov eax, dword ptr fs:[00000030h]	2_2_0303B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306A185 mov eax, dword ptr fs:[00000030h]	2_2_0306A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305C182 mov eax, dword ptr fs:[00000030h]	2_2_0305C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062990 mov eax, dword ptr fs:[00000030h]	2_2_03062990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030661A0 mov eax, dword ptr fs:[00000030h]	2_2_030661A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030661A0 mov eax, dword ptr fs:[00000030h]	2_2_030661A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B69A6 mov eax, dword ptr fs:[00000030h]	2_2_030B69A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B51BE mov eax, dword ptr fs:[00000030h]	2_2_030B51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B51BE mov eax, dword ptr fs:[00000030h]	2_2_030B51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B51BE mov eax, dword ptr fs:[00000030h]	2_2_030B51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B51BE mov eax, dword ptr fs:[00000030h]	2_2_030B51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0303B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0303B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0303B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030C41E8 mov eax, dword ptr fs:[00000030h]	2_2_030C41E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03104015 mov eax, dword ptr fs:[00000030h]	2_2_03104015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03104015 mov eax, dword ptr fs:[00000030h]	2_2_03104015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B7016 mov eax, dword ptr fs:[00000030h]	2_2_030B7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B7016 mov eax, dword ptr fs:[00000030h]	2_2_030B7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B7016 mov eax, dword ptr fs:[00000030h]	2_2_030B7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306002D mov eax, dword ptr fs:[00000030h]	2_2_0306002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306002D mov eax, dword ptr fs:[00000030h]	2_2_0306002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306002D mov eax, dword ptr fs:[00000030h]	2_2_0306002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306002D mov eax, dword ptr fs:[00000030h]	2_2_0306002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306002D mov eax, dword ptr fs:[00000030h]	2_2_0306002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304B02A mov eax, dword ptr fs:[00000030h]	2_2_0304B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304B02A mov eax, dword ptr fs:[00000030h]	2_2_0304B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304B02A mov eax, dword ptr fs:[00000030h]	2_2_0304B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304B02A mov eax, dword ptr fs:[00000030h]	2_2_0304B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03050050 mov eax, dword ptr fs:[00000030h]	2_2_03050050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03050050 mov eax, dword ptr fs:[00000030h]	2_2_03050050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03101074 mov eax, dword ptr fs:[00000030h]	2_2_03101074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F2073 mov eax, dword ptr fs:[00000030h]	2_2_030F2073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03039080 mov eax, dword ptr fs:[00000030h]	2_2_03039080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B3884 mov eax, dword ptr fs:[00000030h]	2_2_030B3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B3884 mov eax, dword ptr fs:[00000030h]	2_2_030B3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030620A0 mov eax, dword ptr fs:[00000030h]	2_2_030620A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030620A0 mov eax, dword ptr fs:[00000030h]	2_2_030620A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030620A0 mov eax, dword ptr fs:[00000030h]	2_2_030620A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030620A0 mov eax, dword ptr fs:[00000030h]	2_2_030620A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030620A0 mov eax, dword ptr fs:[00000030h]	2_2_030620A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030620A0 mov eax, dword ptr fs:[00000030h]	2_2_030620A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030790AF mov eax, dword ptr fs:[00000030h]	2_2_030790AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306F0BF mov ecx, dword ptr fs:[00000030h]	2_2_0306F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306F0BF mov eax, dword ptr fs:[00000030h]	2_2_0306F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306F0BF mov eax, dword ptr fs:[00000030h]	2_2_0306F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_030CB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CB8D0 mov ecx, dword ptr fs:[00000030h]	2_2_030CB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_030CB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_030CB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_030CB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_030CB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030358EC mov eax, dword ptr fs:[00000030h]	2_2_030358EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306A70E mov eax, dword ptr fs:[00000030h]	2_2_0306A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306A70E mov eax, dword ptr fs:[00000030h]	2_2_0306A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305F716 mov eax, dword ptr fs:[00000030h]	2_2_0305F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CFF10 mov eax, dword ptr fs:[00000030h]	2_2_030CFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CFF10 mov eax, dword ptr fs:[00000030h]	2_2_030CFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0310070D mov eax, dword ptr fs:[00000030h]	2_2_0310070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0310070D mov eax, dword ptr fs:[00000030h]	2_2_0310070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03034F2E mov eax, dword ptr fs:[00000030h]	2_2_03034F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03034F2E mov eax, dword ptr fs:[00000030h]	2_2_03034F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306E730 mov eax, dword ptr fs:[00000030h]	2_2_0306E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304EF40 mov eax, dword ptr fs:[00000030h]	2_2_0304EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304FF60 mov eax, dword ptr fs:[00000030h]	2_2_0304FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03108F6A mov eax, dword ptr fs:[00000030h]	2_2_03108F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03048794 mov eax, dword ptr fs:[00000030h]	2_2_03048794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B7794 mov eax, dword ptr fs:[00000030h]	2_2_030B7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B7794 mov eax, dword ptr fs:[00000030h]	2_2_030B7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B7794 mov eax, dword ptr fs:[00000030h]	2_2_030B7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030737F5 mov eax, dword ptr fs:[00000030h]	2_2_030737F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303C600 mov eax, dword ptr fs:[00000030h]	2_2_0303C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303C600 mov eax, dword ptr fs:[00000030h]	2_2_0303C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303C600 mov eax, dword ptr fs:[00000030h]	2_2_0303C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03068E00 mov eax, dword ptr fs:[00000030h]	2_2_03068E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1608 mov eax, dword ptr fs:[00000030h]	2_2_030F1608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306A61C mov eax, dword ptr fs:[00000030h]	2_2_0306A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306A61C mov eax, dword ptr fs:[00000030h]	2_2_0306A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303E620 mov eax, dword ptr fs:[00000030h]	2_2_0303E620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030EFE3F mov eax, dword ptr fs:[00000030h]	2_2_030EFE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03047E41 mov eax, dword ptr fs:[00000030h]	2_2_03047E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03047E41 mov eax, dword ptr fs:[00000030h]	2_2_03047E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03047E41 mov eax, dword ptr fs:[00000030h]	2_2_03047E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03047E41 mov eax, dword ptr fs:[00000030h]	2_2_03047E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03047E41 mov eax, dword ptr fs:[00000030h]	2_2_03047E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03047E41 mov eax, dword ptr fs:[00000030h]	2_2_03047E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FAE44 mov eax, dword ptr fs:[00000030h]	2_2_030FAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FAE44 mov eax, dword ptr fs:[00000030h]	2_2_030FAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304766D mov eax, dword ptr fs:[00000030h]	2_2_0304766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305AE73 mov eax, dword ptr fs:[00000030h]	2_2_0305AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305AE73 mov eax, dword ptr fs:[00000030h]	2_2_0305AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305AE73 mov eax, dword ptr fs:[00000030h]	2_2_0305AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305AE73 mov eax, dword ptr fs:[00000030h]	2_2_0305AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305AE73 mov eax, dword ptr fs:[00000030h]	2_2_0305AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CFE87 mov eax, dword ptr fs:[00000030h]	2_2_030CFE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B46A7 mov eax, dword ptr fs:[00000030h]	2_2_030B46A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03100EA5 mov eax, dword ptr fs:[00000030h]	2_2_03100EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03100EA5 mov eax, dword ptr fs:[00000030h]	2_2_03100EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03100EA5 mov eax, dword ptr fs:[00000030h]	2_2_03100EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03078EC7 mov eax, dword ptr fs:[00000030h]	2_2_03078EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03108ED6 mov eax, dword ptr fs:[00000030h]	2_2_03108ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030636CC mov eax, dword ptr fs:[00000030h]	2_2_030636CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030EFEC0 mov eax, dword ptr fs:[00000030h]	2_2_030EFEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030616E0 mov ecx, dword ptr fs:[00000030h]	2_2_030616E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030476E2 mov eax, dword ptr fs:[00000030h]	2_2_030476E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03108D34 mov eax, dword ptr fs:[00000030h]	2_2_03108D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043D34 mov eax, dword ptr fs:[00000030h]	2_2_03043D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303AD30 mov eax, dword ptr fs:[00000030h]	2_2_0303AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FE539 mov eax, dword ptr fs:[00000030h]	2_2_030FE539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030BA537 mov eax, dword ptr fs:[00000030h]	2_2_030BA537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03064D3B mov eax, dword ptr fs:[00000030h]	2_2_03064D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03064D3B mov eax, dword ptr fs:[00000030h]	2_2_03064D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03064D3B mov eax, dword ptr fs:[00000030h]	2_2_03064D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03073D43 mov eax, dword ptr fs:[00000030h]	2_2_03073D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B3540 mov eax, dword ptr fs:[00000030h]	2_2_030B3540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03057D50 mov eax, dword ptr fs:[00000030h]	2_2_03057D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305C577 mov eax, dword ptr fs:[00000030h]	2_2_0305C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305C577 mov eax, dword ptr fs:[00000030h]	2_2_0305C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062581 mov eax, dword ptr fs:[00000030h]	2_2_03062581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062581 mov eax, dword ptr fs:[00000030h]	2_2_03062581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062581 mov eax, dword ptr fs:[00000030h]	2_2_03062581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03062581 mov eax, dword ptr fs:[00000030h]	2_2_03062581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03032D8A mov eax, dword ptr fs:[00000030h]	2_2_03032D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03032D8A mov eax, dword ptr fs:[00000030h]	2_2_03032D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03032D8A mov eax, dword ptr fs:[00000030h]	2_2_03032D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03032D8A mov eax, dword ptr fs:[00000030h]	2_2_03032D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03032D8A mov eax, dword ptr fs:[00000030h]	2_2_03032D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306FD9B mov eax, dword ptr fs:[00000030h]	2_2_0306FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306FD9B mov eax, dword ptr fs:[00000030h]	2_2_0306FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030635A1 mov eax, dword ptr fs:[00000030h]	2_2_030635A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03061DB5 mov eax, dword ptr fs:[00000030h]	2_2_03061DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03061DB5 mov eax, dword ptr fs:[00000030h]	2_2_03061DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03061DB5 mov eax, dword ptr fs:[00000030h]	2_2_03061DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_031005AC mov eax, dword ptr fs:[00000030h]	2_2_031005AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_031005AC mov eax, dword ptr fs:[00000030h]	2_2_031005AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_030B6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_030B6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_030B6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6DC9 mov ecx, dword ptr fs:[00000030h]	2_2_030B6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_030B6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_030B6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0304D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0304D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_030FFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_030FFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_030FFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_030FFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E8DF1 mov eax, dword ptr fs:[00000030h]	2_2_030E8DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6C0A mov eax, dword ptr fs:[00000030h]	2_2_030B6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6C0A mov eax, dword ptr fs:[00000030h]	2_2_030B6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6C0A mov eax, dword ptr fs:[00000030h]	2_2_030B6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6C0A mov eax, dword ptr fs:[00000030h]	2_2_030B6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F1C06 mov eax, dword ptr fs:[00000030h]	2_2_030F1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0310740D mov eax, dword ptr fs:[00000030h]	2_2_0310740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0310740D mov eax, dword ptr fs:[00000030h]	2_2_0310740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0310740D mov eax, dword ptr fs:[00000030h]	2_2_0310740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306BC2C mov eax, dword ptr fs:[00000030h]	2_2_0306BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306A44B mov eax, dword ptr fs:[00000030h]	2_2_0306A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CC450 mov eax, dword ptr fs:[00000030h]	2_2_030CC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CC450 mov eax, dword ptr fs:[00000030h]	2_2_030CC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305746D mov eax, dword ptr fs:[00000030h]	2_2_0305746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304849B mov eax, dword ptr fs:[00000030h]	2_2_0304849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03108CD6 mov eax, dword ptr fs:[00000030h]	2_2_03108CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030F14FB mov eax, dword ptr fs:[00000030h]	2_2_030F14FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6CF0 mov eax, dword ptr fs:[00000030h]	2_2_030B6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6CF0 mov eax, dword ptr fs:[00000030h]	2_2_030B6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030B6CF0 mov eax, dword ptr fs:[00000030h]	2_2_030B6CF0
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_057301CB mov eax, dword ptr fs:[00000030h]	7_2_057301CB
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_057300AD mov ecx, dword ptr fs:[00000030h]	7_2_057300AD
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Code function: 7_2_057300AD mov eax, dword ptr fs:[00000030h]	7_2_057300AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D927A mov eax, dword ptr fs:[00000030h]	9_2_027D927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799240 mov eax, dword ptr fs:[00000030h]	9_2_02799240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799240 mov eax, dword ptr fs:[00000030h]	9_2_02799240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799240 mov eax, dword ptr fs:[00000030h]	9_2_02799240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799240 mov eax, dword ptr fs:[00000030h]	9_2_02799240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D4A2C mov eax, dword ptr fs:[00000030h]	9_2_027D4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D4A2C mov eax, dword ptr fs:[00000030h]	9_2_027D4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B3A1C mov eax, dword ptr fs:[00000030h]	9_2_027B3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02795210 mov eax, dword ptr fs:[00000030h]	9_2_02795210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02795210 mov ecx, dword ptr fs:[00000030h]	9_2_02795210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02795210 mov eax, dword ptr fs:[00000030h]	9_2_02795210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02795210 mov eax, dword ptr fs:[00000030h]	9_2_02795210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279AA16 mov eax, dword ptr fs:[00000030h]	9_2_0279AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279AA16 mov eax, dword ptr fs:[00000030h]	9_2_0279AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A8A0A mov eax, dword ptr fs:[00000030h]	9_2_027A8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285AA16 mov eax, dword ptr fs:[00000030h]	9_2_0285AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285AA16 mov eax, dword ptr fs:[00000030h]	9_2_0285AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C2AE4 mov eax, dword ptr fs:[00000030h]	9_2_027C2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C2ACB mov eax, dword ptr fs:[00000030h]	9_2_027C2ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AAAB0 mov eax, dword ptr fs:[00000030h]	9_2_027AAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AAAB0 mov eax, dword ptr fs:[00000030h]	9_2_027AAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CFAB0 mov eax, dword ptr fs:[00000030h]	9_2_027CFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285EA55 mov eax, dword ptr fs:[00000030h]	9_2_0285EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02824257 mov eax, dword ptr fs:[00000030h]	9_2_02824257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027952A5 mov eax, dword ptr fs:[00000030h]	9_2_027952A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027952A5 mov eax, dword ptr fs:[00000030h]	9_2_027952A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027952A5 mov eax, dword ptr fs:[00000030h]	9_2_027952A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027952A5 mov eax, dword ptr fs:[00000030h]	9_2_027952A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027952A5 mov eax, dword ptr fs:[00000030h]	9_2_027952A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0284B260 mov eax, dword ptr fs:[00000030h]	9_2_0284B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0284B260 mov eax, dword ptr fs:[00000030h]	9_2_0284B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02868A62 mov eax, dword ptr fs:[00000030h]	9_2_02868A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CD294 mov eax, dword ptr fs:[00000030h]	9_2_027CD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CD294 mov eax, dword ptr fs:[00000030h]	9_2_027CD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0284D380 mov ecx, dword ptr fs:[00000030h]	9_2_0284D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C3B7A mov eax, dword ptr fs:[00000030h]	9_2_027C3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C3B7A mov eax, dword ptr fs:[00000030h]	9_2_027C3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285138A mov eax, dword ptr fs:[00000030h]	9_2_0285138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279DB60 mov ecx, dword ptr fs:[00000030h]	9_2_0279DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279F358 mov eax, dword ptr fs:[00000030h]	9_2_0279F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02865BA5 mov eax, dword ptr fs:[00000030h]	9_2_02865BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279DB40 mov eax, dword ptr fs:[00000030h]	9_2_0279DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028153CA mov eax, dword ptr fs:[00000030h]	9_2_028153CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028153CA mov eax, dword ptr fs:[00000030h]	9_2_028153CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BDBE9 mov eax, dword ptr fs:[00000030h]	9_2_027BDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285131B mov eax, dword ptr fs:[00000030h]	9_2_0285131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C03E2 mov eax, dword ptr fs:[00000030h]	9_2_027C03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C03E2 mov eax, dword ptr fs:[00000030h]	9_2_027C03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C03E2 mov eax, dword ptr fs:[00000030h]	9_2_027C03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C03E2 mov eax, dword ptr fs:[00000030h]	9_2_027C03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C03E2 mov eax, dword ptr fs:[00000030h]	9_2_027C03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C03E2 mov eax, dword ptr fs:[00000030h]	9_2_027C03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C4BAD mov eax, dword ptr fs:[00000030h]	9_2_027C4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C4BAD mov eax, dword ptr fs:[00000030h]	9_2_027C4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C4BAD mov eax, dword ptr fs:[00000030h]	9_2_027C4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02868B58 mov eax, dword ptr fs:[00000030h]	9_2_02868B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C2397 mov eax, dword ptr fs:[00000030h]	9_2_027C2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CB390 mov eax, dword ptr fs:[00000030h]	9_2_027CB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A1B8F mov eax, dword ptr fs:[00000030h]	9_2_027A1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A1B8F mov eax, dword ptr fs:[00000030h]	9_2_027A1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02813884 mov eax, dword ptr fs:[00000030h]	9_2_02813884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02813884 mov eax, dword ptr fs:[00000030h]	9_2_02813884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B0050 mov eax, dword ptr fs:[00000030h]	9_2_027B0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B0050 mov eax, dword ptr fs:[00000030h]	9_2_027B0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AB02A mov eax, dword ptr fs:[00000030h]	9_2_027AB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AB02A mov eax, dword ptr fs:[00000030h]	9_2_027AB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AB02A mov eax, dword ptr fs:[00000030h]	9_2_027AB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AB02A mov eax, dword ptr fs:[00000030h]	9_2_027AB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C002D mov eax, dword ptr fs:[00000030h]	9_2_027C002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C002D mov eax, dword ptr fs:[00000030h]	9_2_027C002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C002D mov eax, dword ptr fs:[00000030h]	9_2_027C002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C002D mov eax, dword ptr fs:[00000030h]	9_2_027C002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C002D mov eax, dword ptr fs:[00000030h]	9_2_027C002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0282B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282B8D0 mov ecx, dword ptr fs:[00000030h]	9_2_0282B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0282B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0282B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0282B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0282B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02864015 mov eax, dword ptr fs:[00000030h]	9_2_02864015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02864015 mov eax, dword ptr fs:[00000030h]	9_2_02864015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027958EC mov eax, dword ptr fs:[00000030h]	9_2_027958EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02817016 mov eax, dword ptr fs:[00000030h]	9_2_02817016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02817016 mov eax, dword ptr fs:[00000030h]	9_2_02817016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02817016 mov eax, dword ptr fs:[00000030h]	9_2_02817016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CF0BF mov ecx, dword ptr fs:[00000030h]	9_2_027CF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CF0BF mov eax, dword ptr fs:[00000030h]	9_2_027CF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CF0BF mov eax, dword ptr fs:[00000030h]	9_2_027CF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D90AF mov eax, dword ptr fs:[00000030h]	9_2_027D90AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C20A0 mov eax, dword ptr fs:[00000030h]	9_2_027C20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C20A0 mov eax, dword ptr fs:[00000030h]	9_2_027C20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C20A0 mov eax, dword ptr fs:[00000030h]	9_2_027C20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C20A0 mov eax, dword ptr fs:[00000030h]	9_2_027C20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C20A0 mov eax, dword ptr fs:[00000030h]	9_2_027C20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C20A0 mov eax, dword ptr fs:[00000030h]	9_2_027C20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02861074 mov eax, dword ptr fs:[00000030h]	9_2_02861074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02852073 mov eax, dword ptr fs:[00000030h]	9_2_02852073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799080 mov eax, dword ptr fs:[00000030h]	9_2_02799080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279B171 mov eax, dword ptr fs:[00000030h]	9_2_0279B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279B171 mov eax, dword ptr fs:[00000030h]	9_2_0279B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279C962 mov eax, dword ptr fs:[00000030h]	9_2_0279C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028169A6 mov eax, dword ptr fs:[00000030h]	9_2_028169A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BB944 mov eax, dword ptr fs:[00000030h]	9_2_027BB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BB944 mov eax, dword ptr fs:[00000030h]	9_2_027BB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028151BE mov eax, dword ptr fs:[00000030h]	9_2_028151BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028151BE mov eax, dword ptr fs:[00000030h]	9_2_028151BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028151BE mov eax, dword ptr fs:[00000030h]	9_2_028151BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028151BE mov eax, dword ptr fs:[00000030h]	9_2_028151BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C513A mov eax, dword ptr fs:[00000030h]	9_2_027C513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C513A mov eax, dword ptr fs:[00000030h]	9_2_027C513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B4120 mov eax, dword ptr fs:[00000030h]	9_2_027B4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B4120 mov eax, dword ptr fs:[00000030h]	9_2_027B4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B4120 mov eax, dword ptr fs:[00000030h]	9_2_027B4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B4120 mov eax, dword ptr fs:[00000030h]	9_2_027B4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B4120 mov ecx, dword ptr fs:[00000030h]	9_2_027B4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028241E8 mov eax, dword ptr fs:[00000030h]	9_2_028241E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799100 mov eax, dword ptr fs:[00000030h]	9_2_02799100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799100 mov eax, dword ptr fs:[00000030h]	9_2_02799100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02799100 mov eax, dword ptr fs:[00000030h]	9_2_02799100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0279B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0279B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0279B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C61A0 mov eax, dword ptr fs:[00000030h]	9_2_027C61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C61A0 mov eax, dword ptr fs:[00000030h]	9_2_027C61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C2990 mov eax, dword ptr fs:[00000030h]	9_2_027C2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CA185 mov eax, dword ptr fs:[00000030h]	9_2_027CA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BC182 mov eax, dword ptr fs:[00000030h]	9_2_027BC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282FE87 mov eax, dword ptr fs:[00000030h]	9_2_0282FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BAE73 mov eax, dword ptr fs:[00000030h]	9_2_027BAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BAE73 mov eax, dword ptr fs:[00000030h]	9_2_027BAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BAE73 mov eax, dword ptr fs:[00000030h]	9_2_027BAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BAE73 mov eax, dword ptr fs:[00000030h]	9_2_027BAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BAE73 mov eax, dword ptr fs:[00000030h]	9_2_027BAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A766D mov eax, dword ptr fs:[00000030h]	9_2_027A766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02860EA5 mov eax, dword ptr fs:[00000030h]	9_2_02860EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02860EA5 mov eax, dword ptr fs:[00000030h]	9_2_02860EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02860EA5 mov eax, dword ptr fs:[00000030h]	9_2_02860EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028146A7 mov eax, dword ptr fs:[00000030h]	9_2_028146A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A7E41 mov eax, dword ptr fs:[00000030h]	9_2_027A7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A7E41 mov eax, dword ptr fs:[00000030h]	9_2_027A7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A7E41 mov eax, dword ptr fs:[00000030h]	9_2_027A7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A7E41 mov eax, dword ptr fs:[00000030h]	9_2_027A7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A7E41 mov eax, dword ptr fs:[00000030h]	9_2_027A7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A7E41 mov eax, dword ptr fs:[00000030h]	9_2_027A7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0284FEC0 mov eax, dword ptr fs:[00000030h]	9_2_0284FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02868ED6 mov eax, dword ptr fs:[00000030h]	9_2_02868ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279E620 mov eax, dword ptr fs:[00000030h]	9_2_0279E620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CA61C mov eax, dword ptr fs:[00000030h]	9_2_027CA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CA61C mov eax, dword ptr fs:[00000030h]	9_2_027CA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279C600 mov eax, dword ptr fs:[00000030h]	9_2_0279C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279C600 mov eax, dword ptr fs:[00000030h]	9_2_0279C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279C600 mov eax, dword ptr fs:[00000030h]	9_2_0279C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C8E00 mov eax, dword ptr fs:[00000030h]	9_2_027C8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851608 mov eax, dword ptr fs:[00000030h]	9_2_02851608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A76E2 mov eax, dword ptr fs:[00000030h]	9_2_027A76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C16E0 mov ecx, dword ptr fs:[00000030h]	9_2_027C16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C36CC mov eax, dword ptr fs:[00000030h]	9_2_027C36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D8EC7 mov eax, dword ptr fs:[00000030h]	9_2_027D8EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0284FE3F mov eax, dword ptr fs:[00000030h]	9_2_0284FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285AE44 mov eax, dword ptr fs:[00000030h]	9_2_0285AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0285AE44 mov eax, dword ptr fs:[00000030h]	9_2_0285AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02817794 mov eax, dword ptr fs:[00000030h]	9_2_02817794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02817794 mov eax, dword ptr fs:[00000030h]	9_2_02817794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02817794 mov eax, dword ptr fs:[00000030h]	9_2_02817794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AFF60 mov eax, dword ptr fs:[00000030h]	9_2_027AFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027AEF40 mov eax, dword ptr fs:[00000030h]	9_2_027AEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CE730 mov eax, dword ptr fs:[00000030h]	9_2_027CE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02794F2E mov eax, dword ptr fs:[00000030h]	9_2_02794F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02794F2E mov eax, dword ptr fs:[00000030h]	9_2_02794F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BF716 mov eax, dword ptr fs:[00000030h]	9_2_027BF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CA70E mov eax, dword ptr fs:[00000030h]	9_2_027CA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CA70E mov eax, dword ptr fs:[00000030h]	9_2_027CA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D37F5 mov eax, dword ptr fs:[00000030h]	9_2_027D37F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0286070D mov eax, dword ptr fs:[00000030h]	9_2_0286070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0286070D mov eax, dword ptr fs:[00000030h]	9_2_0286070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282FF10 mov eax, dword ptr fs:[00000030h]	9_2_0282FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282FF10 mov eax, dword ptr fs:[00000030h]	9_2_0282FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02868F6A mov eax, dword ptr fs:[00000030h]	9_2_02868F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A8794 mov eax, dword ptr fs:[00000030h]	9_2_027A8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B746D mov eax, dword ptr fs:[00000030h]	9_2_027B746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CA44B mov eax, dword ptr fs:[00000030h]	9_2_027CA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02868CD6 mov eax, dword ptr fs:[00000030h]	9_2_02868CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027CBC2C mov eax, dword ptr fs:[00000030h]	9_2_027CBC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816CF0 mov eax, dword ptr fs:[00000030h]	9_2_02816CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816CF0 mov eax, dword ptr fs:[00000030h]	9_2_02816CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816CF0 mov eax, dword ptr fs:[00000030h]	9_2_02816CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028514FB mov eax, dword ptr fs:[00000030h]	9_2_028514FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02851C06 mov eax, dword ptr fs:[00000030h]	9_2_02851C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0286740D mov eax, dword ptr fs:[00000030h]	9_2_0286740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0286740D mov eax, dword ptr fs:[00000030h]	9_2_0286740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0286740D mov eax, dword ptr fs:[00000030h]	9_2_0286740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816C0A mov eax, dword ptr fs:[00000030h]	9_2_02816C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816C0A mov eax, dword ptr fs:[00000030h]	9_2_02816C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816C0A mov eax, dword ptr fs:[00000030h]	9_2_02816C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816C0A mov eax, dword ptr fs:[00000030h]	9_2_02816C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282C450 mov eax, dword ptr fs:[00000030h]	9_2_0282C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0282C450 mov eax, dword ptr fs:[00000030h]	9_2_0282C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A849B mov eax, dword ptr fs:[00000030h]	9_2_027A849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BC577 mov eax, dword ptr fs:[00000030h]	9_2_027BC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027BC577 mov eax, dword ptr fs:[00000030h]	9_2_027BC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028605AC mov eax, dword ptr fs:[00000030h]	9_2_028605AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_028605AC mov eax, dword ptr fs:[00000030h]	9_2_028605AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027B7D50 mov eax, dword ptr fs:[00000030h]	9_2_027B7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027D3D43 mov eax, dword ptr fs:[00000030h]	9_2_027D3D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C4D3B mov eax, dword ptr fs:[00000030h]	9_2_027C4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C4D3B mov eax, dword ptr fs:[00000030h]	9_2_027C4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027C4D3B mov eax, dword ptr fs:[00000030h]	9_2_027C4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816DC9 mov eax, dword ptr fs:[00000030h]	9_2_02816DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816DC9 mov eax, dword ptr fs:[00000030h]	9_2_02816DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816DC9 mov eax, dword ptr fs:[00000030h]	9_2_02816DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816DC9 mov ecx, dword ptr fs:[00000030h]	9_2_02816DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816DC9 mov eax, dword ptr fs:[00000030h]	9_2_02816DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_02816DC9 mov eax, dword ptr fs:[00000030h]	9_2_02816DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0279AD30 mov eax, dword ptr fs:[00000030h]	9_2_0279AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A3D34 mov eax, dword ptr fs:[00000030h]	9_2_027A3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A3D34 mov eax, dword ptr fs:[00000030h]	9_2_027A3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A3D34 mov eax, dword ptr fs:[00000030h]	9_2_027A3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_027A3D34 mov eax, dword ptr fs:[00000030h]	9_2_027A3D34

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011F1914 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap,

15_2_011F1914

Enables debug privileges

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E7310 SetUnhandledExceptionFilter,		15_2_011E7310
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E6FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		15_2_011E6FE3

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 81.17.18.197 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.252.192.7 80			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 3424	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 11D0000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 310000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 10EC008			Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 696008			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\user\Desktop\oqTdpbN5rF.exe'	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Users\user\Desktop\oqTdpbN5rF.exe 'C:\Users\user\Desktop\oqTdpbN5rF.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\user\Desktop\oqTdpbN5rF.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'	Jump to behavior

Source: explorer.exe, 00000005.00000002.933139728.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000002.933948120.0000000001080000.00000002.00000001.sdmp, oqTdpbN5rF.exe, 00000007.00000002.934354792.0000000001780000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.934837676.00000000041F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000002.933948120.0000000001080000.00000002.00000001.sdmp, oqTdpbN5rF.exe, 00000007.00000002.934354792.0000000001780000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.934837676.00000000041F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.933948120.0000000001080000.00000002.00000001.sdmp, oqTdpbN5rF.exe, 00000007.00000002.934354792.0000000001780000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.934837676.00000000041F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000002.933948120.0000000001080000.00000002.00000001.sdmp, oqTdpbN5rF.exe, 00000007.00000002.934354792.0000000001780000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.934837676.00000000041F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.708258003.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	15_2_011E3F80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	15_2_011D96A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	15_2_011D5AEF

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Queries volume information: C:\Users\user\Desktop\oqTdpbN5rF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Queries volume information: C:\Users\user\Desktop\oqTdpbN5rF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oqTdpbN5rF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011E7513 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

15_2_011E7513

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011D443C GetVersion,

15_2_011D443C

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000007.00000003.714696172.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.713983780.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721866399.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942029973.0000000005512000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.721749351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684990616.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.685033711.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.722069736.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.683777247.0000000005762000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.940420485.0000000004939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732797853.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.731598557.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.932940416.0000000000390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.732064865.0000000001280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.732798521.0000000001120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.933824716.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942495359.00000000062D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.oqTdpbN5rF.exe.62d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

ID:	321100
Product:	CloudBasic
Start time:	11:10:10
Start date:	20.11.2020
Sample:	oqTdpbN5rF.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	429bba6dbe159c300679509be3085665
SHA1:	f79f58bc3142b59d0d8669595a01770bdf5486ff
SHA256:	04274b027d3bd09ec0d7b58ff5af64aa06e626668995cb5ef6d7fad939bc6c33
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Analysis Report oqTdpbN5rF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs