Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report New Inquiry 903838737777721102029393003938.exe

Overview

General Information

Sample Name:New Inquiry 903838737777721102029393003938.exe
Analysis ID:112557
MD5:01a54f73856cfb74a3bbba47bcec227b
SHA1:ed2ed885dcd7be832cdae5c189bd7db78ca9eaa2
SHA256:759c87f02d5850ee317454dc8242067d042a320f653946c9162b645c0ae68ba6

Most interesting Screenshot:

Detection

GuLoader LuminosityLink
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Yara detected LuminosityLink RAT
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Installs a global keyboard hook
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64native
  • New Inquiry 903838737777721102029393003938.exe (PID: 6652 cmdline: 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' MD5: 01A54F73856CFB74A3BBBA47BCEC227B)
    • RegAsm.exe (PID: 1576 cmdline: 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)
    • RegAsm.exe (PID: 1440 cmdline: 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)
      • conhost.exe (PID: 1584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C221707E5CE93515AC87507E19181E2A)
      • anibtcent.exe.exe (PID: 4188 cmdline: 'C:\ProgramData\782401\anibtcent.exe.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)
        • conhost.exe (PID: 1500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C221707E5CE93515AC87507E19181E2A)
  • demisphereklediskene.exe (PID: 1812 cmdline: 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe' MD5: 01A54F73856CFB74A3BBBA47BCEC227B)
    • RegAsm.exe (PID: 4328 cmdline: 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)
      • conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C221707E5CE93515AC87507E19181E2A)
  • RegAsm.exe (PID: 2652 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)
    • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C221707E5CE93515AC87507E19181E2A)
  • demisphereklediskene.exe (PID: 2140 cmdline: 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe' MD5: 01A54F73856CFB74A3BBBA47BCEC227B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmpJoeSecurity_LuminosityLinkYara detected LuminosityLink RATJoe Security
      00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: RegAsm.exe PID: 1440JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
          Process Memory Space: RegAsm.exe PID: 1440JoeSecurity_LuminosityLinkYara detected LuminosityLink RATJoe Security
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeVirustotal: Detection: 20%Perma Link
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeReversingLabs: Detection: 18%
            Multi AV Scanner detection for submitted fileShow sources
            Source: New Inquiry 903838737777721102029393003938.exeVirustotal: Detection: 20%Perma Link
            Source: New Inquiry 903838737777721102029393003938.exeReversingLabs: Detection: 18%
            Yara detected LuminosityLink RATShow sources
            Source: Yara matchFile source: 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY

            Bitcoin Miner:

            barindex
            Yara detected LuminosityLink RATShow sources
            Source: Yara matchFile source: 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY
            Source: global trafficTCP traffic: 192.168.0.80:49780 -> 194.5.97.46:3021
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: RegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: RegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: RegAsm.exe, 0000000D.00000002.24301548535.00000000010C1000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: RegAsm.exe, 0000000D.00000002.24328207020.0000000021190000.00000002.00000001.sdmpString found in binary or memory: https://aka.ms/hcsadmin
            Source: RegAsm.exe, 0000000D.00000002.24301095324.000000000107D000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265110684.0000000000E2E000.00000004.00000020.sdmpString found in binary or memory: https://eaup2w.sn.files.1drv.com/
            Source: RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265299276.0000000000E52000.00000004.00000020.sdmpString found in binary or memory: https://eaup2w.sn.files.1drv.com/y4m4bqAkwHQUJx1iHbF6prKSSCddXNt-56Mg951zMrckoiAx-x88t2pks0UEJqWB7st
            Source: RegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 0000000D.00000002.24301548535.00000000010C1000.00000004.00000020.sdmpString found in binary or memory: https://eaup2w.sn.files.1drv.com/y4mcRoU26afjmMcM96C_CG1xmFAJaGVWXqZWLE8oSmKi-bsn2pOmBTUtvaCnggDIr1k
            Source: RegAsm.exe, 0000000D.00000002.24300776016.000000000104B000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24264785299.0000000000DDB000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: RegAsm.exe, 00000013.00000002.24265110684.0000000000E2E000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=249E8FCE0A15C968&resid=249E8FCE0A15C968%211276&authkey=ADoYXV
            Source: RegAsm.exe, 00000013.00000002.24264785299.0000000000DDB000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/l
            Source: RegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Installs a global keyboard hookShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior

            E-Banking Fraud:

            barindex
            Yara detected LuminosityLink RATShow sources
            Source: Yara matchFile source: 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_02240A3F NtSetInformationThread,3_2_02240A3F
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_02240AA2 NtSetInformationThread,3_2_02240AA2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F09EF3 NtSetInformationThread,13_2_00F09EF3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F005E5 EnumWindows,NtSetInformationThread,13_2_00F005E5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F09B4C NtProtectVirtualMemory,13_2_00F09B4C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F016BE NtSetInformationThread,13_2_00F016BE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F00A7A NtSetInformationThread,13_2_00F00A7A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F09E56 NtProtectVirtualMemory,13_2_00F09E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F00631 NtSetInformationThread,13_2_00F00631
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F00629 NtSetInformationThread,13_2_00F00629
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F011F0 NtSetInformationThread,13_2_00F011F0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F01719 NtSetInformationThread,13_2_00F01719
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_204F2CD2 NtQuerySystemInformation,13_2_204F2CD2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_204F2C97 NtQuerySystemInformation,13_2_204F2C97
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeCode function: 18_2_021C0A3F NtSetInformationThread,18_2_021C0A3F
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeCode function: 18_2_021C0AA2 NtSetInformationThread,18_2_021C0AA2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C39EF3 NtSetInformationThread,19_2_00C39EF3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C305E5 EnumWindows,NtSetInformationThread,19_2_00C305E5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C39B4C NtProtectVirtualMemory,19_2_00C39B4C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C316BE NtSetInformationThread,19_2_00C316BE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C39E56 NtProtectVirtualMemory,19_2_00C39E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C30A7A NtSetInformationThread,19_2_00C30A7A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C3A824 NtQueryInformationProcess,19_2_00C3A824
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C30629 NtSetInformationThread,19_2_00C30629
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C30631 NtSetInformationThread,19_2_00C30631
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C311F0 NtSetInformationThread,19_2_00C311F0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C3A30D NtQueryInformationProcess,19_2_00C3A30D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C39F12 NtQueryInformationProcess,19_2_00C39F12
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C31719 NtSetInformationThread,19_2_00C31719
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Windows\SysWOW64\clientsvr.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F005E513_2_00F005E5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE1E1E13_2_1FEE1E1E
            Source: C:\ProgramData\782401\anibtcent.exe.exeCode function: 16_2_050F01B716_2_050F01B7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C305E519_2_00C305E5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00C801B721_2_00C801B7
            Source: New Inquiry 903838737777721102029393003938.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: demisphereklediskene.exe.13.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24036753540.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStrenger.exe vs New Inquiry 903838737777721102029393003938.exe
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24037858669.00000000005E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs New Inquiry 903838737777721102029393003938.exe
            Source: New Inquiry 903838737777721102029393003938.exeBinary or memory string: OriginalFilenameStrenger.exe vs New Inquiry 903838737777721102029393003938.exe
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeSection loaded: vb6zz.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeSection loaded: vb6zz.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeSection loaded: vb6zz.dllJump to behavior
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@16/8@10/2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_204F2A92 AdjustTokenPrivileges,13_2_204F2A92
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_204F2A5B AdjustTokenPrivileges,13_2_204F2A5B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\Hustankesgy3Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1500:120:WilError_02
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1584:120:WilError_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_02
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\7433cdb324b04dd5e3c3db213381216c7c539baa
            Source: New Inquiry 903838737777721102029393003938.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9fbf7494605b6eb9632b0c9bfc1683d9\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9fbf7494605b6eb9632b0c9bfc1683d9\mscorlib.ni.dllJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9fbf7494605b6eb9632b0c9bfc1683d9\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9fbf7494605b6eb9632b0c9bfc1683d9\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: New Inquiry 903838737777721102029393003938.exeVirustotal: Detection: 20%
            Source: New Inquiry 903838737777721102029393003938.exeReversingLabs: Detection: 18%
            Source: unknownProcess created: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\782401\anibtcent.exe.exe 'C:\ProgramData\782401\anibtcent.exe.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Hustankesgy3\demisphereklediskene.exe 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Hustankesgy3\demisphereklediskene.exe 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe'
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' Jump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\ProgramData\782401\anibtcent.exe.exe 'C:\ProgramData\782401\anibtcent.exe.exe' Jump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9554_none_d08d6fa2442aa556\MSVCR80.dllJump to behavior
            Source: Binary string: RegAsm.pdb source: RegAsm.exe, 0000000D.00000002.24325004854.000000001FFF5000.00000004.00000001.sdmp, anibtcent.exe.exe, anibtcent.exe.exe.13.dr
            Source: Binary string: mscorrc.pdb source: RegAsm.exe, 0000000D.00000002.24324313659.000000001FF60000.00000002.00000001.sdmp, RegAsm.exe, 00000013.00000002.24283755110.000000001FDF0000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4328, type: MEMORY
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040E750 pushad ; ret 3_2_0040E7DF
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00406A5A push ecx; retf 3_2_00406A5B
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040E77E pushad ; ret 3_2_0040E7DF
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00406418 push ecx; retf 3_2_0040642F
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00409FC6 push ecx; ret 3_2_00409FC7
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040A6C9 push ebx; retf 3_2_0040A6D3
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00409FE7 push ebx; retf 3_2_00409FF3
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040A6EC push ebx; retf 3_2_0040A703
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00409F88 push ebx; retf 3_2_00409F8F
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040A68E push ebx; retf 3_2_0040A703
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00409FAC push ebx; retf 3_2_00409FBF
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040A0B0 push ecx; ret 3_2_0040A0C3
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_004063B8 push ecx; retf 3_2_0040642F
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00409EBE push ebp; retf 3_2_00409EF3
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_02240A3F push cs; retf 3_2_02240A91
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_02243604 push edi; ret 3_2_0224360E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1DB256F5 push edx; iretd 13_2_1DB256F6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1DB22E29 push ds; iretd 13_2_1DB23206
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1DB23662 push ecx; ret 13_2_1DB2366D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE39A1 push ebp; retf 13_2_1FEE39A2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3D9B push esi; retf 13_2_1FEE3DA2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3D98 push esi; retf 13_2_1FEE3D9A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3921 push esp; retf 13_2_1FEE3922
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3EEB push edi; retf 13_2_1FEE3EF2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3EE8 push edi; retf 13_2_1FEE3EEA
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE0AD8 push F01DCB26h; retf 13_2_1FEE0ADD
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3843 push esp; retf 13_2_1FEE384A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3841 push esp; retf 13_2_1FEE3842
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE0006 push ss; retf 13_2_1FEE002E
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeCode function: 18_2_021C0A3F push cs; retf 18_2_021C0A91
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_0241000C pushfd ; retf 21_2_02410053
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\ProgramData\782401\anibtcent.exe.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Windows\SysWOW64\clientsvr.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\Hustankesgy3\demisphereklediskene.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\ProgramData\782401\anibtcent.exe.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Windows\SysWOW64\clientsvr.exeJump to dropped file

            Boot Survival:

            barindex
            Creates an autostart registry key pointing to binary in C:\WindowsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior
            Creates an undocumented autostart registry key Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
            Creates multiple autostart registry keysShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnessesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnessesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnessesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnessesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnessesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior