Loading ...

Play interactive tourEdit tour

Analysis Report 50dEFDImnl.exe

Overview

General Information

Sample Name:50dEFDImnl.exe
MD5:84a3a01a8f800d306374eab168150b97
SHA1:bdcf0b4a2c9502badc8e7c7b5510213e91b75404
SHA256:b1e9df7fb9b823a8e86cb70f1a4ff04a1f98fdb67f1327d21c3df7a60a89efdd

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: Capture Wi-Fi password
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • 50dEFDImnl.exe (PID: 4424 cmdline: 'C:\Users\user\Desktop\50dEFDImnl.exe' MD5: 84A3A01A8F800D306374EAB168150B97)
    • RegAsm.exe (PID: 3740 cmdline: 'C:\Users\user\Desktop\50dEFDImnl.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 2520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 4692 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 4036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "oOWnm7XpCQOjm", "URL: ": "https://OoZQCinlvG9oE.org", "To: ": "", "ByHost: ": "smtp.yandex.com:587", "Password: ": "taMaTGoDN", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1201349524.000000002013C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.1200815338.000000001FFBF000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.1200815338.000000001FFBF000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 3740JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 3740JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: Capture Wi-Fi passwordShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\Desktop\50dEFDImnl.exe' , ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 3740, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 4692
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 3740, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49751

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 50dEFDImnl.exeAvira: detected
            Found malware configurationShow sources
            Source: RegAsm.exe.3740.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "oOWnm7XpCQOjm", "URL: ": "https://OoZQCinlvG9oE.org", "To: ": "", "ByHost: ": "smtp.yandex.com:587", "Password: ": "taMaTGoDN", "From: ": ""}
            Multi AV Scanner detection for submitted fileShow sources
            Source: 50dEFDImnl.exeVirustotal: Detection: 20%Perma Link

            Source: global trafficTCP traffic: 192.168.2.5:49751 -> 77.88.21.158:587
            Source: Joe Sandbox ViewIP Address: 104.16.202.237 104.16.202.237
            Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficTCP traffic: 192.168.2.5:49751 -> 77.88.21.158:587
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FD9A09A recv,2_2_1FD9A09A
            Source: unknownDNS traffic detected: queries for: www.mediafire.com
            Source: RegAsm.exe, 00000002.00000002.1201349524.000000002013C000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
            Source: RegAsm.exe, 00000002.00000002.1201349524.000000002013C000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
            Source: RegAsm.exe, 00000002.00000002.1197891352.000000000145C000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: RegAsm.exe, 00000002.00000002.1197891352.000000000145C000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: RegAsm.exe, 00000002.00000002.1201349524.000000002013C000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
            Source: RegAsm.exe, 00000002.00000003.858804417.0000000001484000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSA
            Source: RegAsm.exe, 00000002.00000003.858804417.0000000001484000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.cr
            Source: RegAsm.exe, 00000002.00000002.1197891352.000000000145C000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
            Source: RegAsm.exe, 00000002.00000002.1197891352.000000000145C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: RegAsm.exe, 00000002.00000003.858804417.0000000001484000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
            Source: RegAsm.exe, 00000002.00000002.1197891352.000000000145C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.sectigo.com0)
            Source: RegAsm.exe, 00000002.00000002.1201349524.000000002013C000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
            Source: RegAsm.exe, 00000002.00000002.1201349524.000000002013C000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
            Source: RegAsm.exe, 00000002.00000002.1202993774.0000000022950000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer
            Source: RegAsm.exe, 00000002.00000002.1201349524.000000002013C000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
            Source: RegAsm.exe, 00000002.00000002.1201349524.000000002013C000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
            Source: RegAsm.exe, 00000002.00000002.1201349524.000000002013C000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
            Source: RegAsm.exe, 00000002.00000002.1201349524.000000002013C000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
            Source: RegAsm.exe, 00000002.00000002.1201349524.000000002013C000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
            Source: RegAsm.exe, 00000002.00000002.1201349524.000000002013C000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
            Source: RegAsm.exe, 00000002.00000002.1200815338.000000001FFBF000.00000004.00000001.sdmpString found in binary or memory: https://OoZQCinlvG9oE.org
            Source: RegAsm.exe, 00000002.00000002.1200815338.000000001FFBF000.00000004.00000001.sdmpString found in binary or memory: https://OoZQCinlvG9oE.orgX)
            Source: RegAsm.exe, 00000002.00000003.858822427.000000000148A000.00000004.00000001.sdmpString found in binary or memory: https://download1247.mediafire.com/ww71ydtcivtg/1stooazcyr88jmr/origin_coBhIJXp234.bin
            Source: RegAsm.exe, 00000002.00000002.1197891352.000000000145C000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: RegAsm.exe, 00000002.00000002.1201349524.000000002013C000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
            Source: RegAsm.exe, 00000002.00000002.1197446548.0000000001170000.00000040.00000001.sdmpString found in binary or memory: https://www.mediafire.com/file/1stooazcyr88jmr/origin_coBhIJXp234.bin/file
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_0117767D NtSetInformationThread,2_2_0117767D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_011772A9 NtProtectVirtualMemory,2_2_011772A9
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_0117790D NtSetInformationThread,2_2_0117790D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_0117793E NtSetInformationThread,2_2_0117793E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_0117798C NtSetInformationThread,2_2_0117798C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_011779BD NtSetInformationThread,2_2_011779BD
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_011779EA NtSetInformationThread,2_2_011779EA
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_01177831 NtSetInformationThread,2_2_01177831
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_0117785F NtSetInformationThread,2_2_0117785F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_0117788D NtSetInformationThread,2_2_0117788D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_011778DB NtSetInformationThread,2_2_011778DB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_0117770B NtSetInformationThread,2_2_0117770B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_01177B3D NtSetInformationThread,2_2_01177B3D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_0117073C NtSetInformationThread,2_2_0117073C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_0117773A NtSetInformationThread,2_2_0117773A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_0117077E NtSetInformationThread,2_2_0117077E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_01177767 NtSetInformationThread,2_2_01177767
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_011777A8 NtSetInformationThread,2_2_011777A8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_011707D7 NtSetInformationThread,2_2_011707D7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_011777EB NtSetInformationThread,2_2_011777EB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_01177A1F NtSetInformationThread,2_2_01177A1F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_01177695 NtSetInformationThread,2_2_01177695
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_01177A8D NtSetInformationThread,2_2_01177A8D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_011706E6 NtSetInformationThread,2_2_011706E6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_011706E4 NtSetInformationThread,2_2_011706E4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_01177AE1 NtSetInformationThread,2_2_01177AE1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FD9B362 NtQuerySystemInformation,2_2_1FD9B362
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FD9B331 NtQuerySystemInformation,2_2_1FD9B331
            Source: C:\Users\user\Desktop\50dEFDImnl.exeCode function: 0_2_004014600_2_00401460
            Source: C:\Users\user\Desktop\50dEFDImnl.exeCode function: 0_2_004112F80_2_004112F8
            Source: C:\Users\user\Desktop\50dEFDImnl.exeCode function: 0_2_004035E10_2_004035E1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222CB2902_2_222CB290
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C0F082_2_222C0F08
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222CAB182_2_222CAB18
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C53602_2_222C5360
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C7F882_2_222C7F88
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C83D82_2_222C83D8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C00702_2_222C0070
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222CD4E02_2_222CD4E0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222CA5E02_2_222CA5E0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C25F42_2_222C25F4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C42332_2_222C4233
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C3A652_2_222C3A65
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C26AC2_2_222C26AC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C26C32_2_222C26C3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C2F3A2_2_222C2F3A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C273B2_2_222C273B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C3B012_2_222C3B01
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222CC3652_2_222CC365
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C33782_2_222C3378
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C7F782_2_222C7F78
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C53532_2_222C5353
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C879B2_2_222C879B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C83C82_2_222C83C8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222CA7DE2_2_222CA7DE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C2FD32_2_222C2FD3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C44212_2_222C4421
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C58002_2_222C5800
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C58102_2_222C5810
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C006D2_2_222C006D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C89462_2_222C8946
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C25F42_2_222C25F4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_2238F0A82_2_2238F0A8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_2238FC652_2_2238FC65
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_223800072_2_22380007
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_2238F4E12_2_2238F4E1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_2238F09D2_2_2238F09D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_2238F8112_2_2238F811
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_2238F5832_2_2238F583
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BA00F52_2_22BA00F5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BA08302_2_22BA0830
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BA32702_2_22BA3270
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BA00702_2_22BA0070
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BA2E402_2_22BA2E40
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BA08822_2_22BA0882
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BA08EB2_2_22BA08EB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BA00062_2_22BA0006
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BBE6882_2_22BBE688
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BBF2282_2_22BBF228
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BB5B712_2_22BB5B71
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BBA5902_2_22BBA590
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BBE9E82_2_22BBE9E8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BBD5E02_2_22BBD5E0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BBB9502_2_22BBB950
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BBBED82_2_22BBBED8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_22BBDC582_2_22BBDC58
            Source: 50dEFDImnl.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 50dEFDImnl.exe, 00000000.00000002.866287663.000000000041B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSeparatisme.exe vs 50dEFDImnl.exe
            Source: 50dEFDImnl.exeBinary or memory string: OriginalFilenameSeparatisme.exe vs 50dEFDImnl.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: security.dllJump to behavior
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@7/0@3/3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FD9B1E6 AdjustTokenPrivileges,2_2_1FD9B1E6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FD9B1AF AdjustTokenPrivileges,2_2_1FD9B1AF
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4036:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2520:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: 50dEFDImnl.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\50dEFDImnl.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\50dEFDImnl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: 50dEFDImnl.exeVirustotal: Detection: 20%
            Source: unknownProcess created: C:\Users\user\Desktop\50dEFDImnl.exe 'C:\Users\user\Desktop\50dEFDImnl.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\50dEFDImnl.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\50dEFDImnl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\50dEFDImnl.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000002.00000002.1203307658.0000000022BC0000.00000002.00000001.sdmp

            Source: C:\Users\user\Desktop\50dEFDImnl.exeCode function: 0_2_00406E0E push ds; ret 0_2_00406E11
            Source: C:\Users\user\Desktop\50dEFDImnl.exeCode function: 0_2_00408A0F push ds; iretd 0_2_00408A21
            Source: C:\Users\user\Desktop\50dEFDImnl.exeCode function: 0_2_00407E8A push ds; ret 0_2_00407E51
            Source: C:\Users\user\Desktop\50dEFDImnl.exeCode function: 0_2_0040890F push ds; iretd 0_2_00408921
            Source: C:\Users\user\Desktop\50dEFDImnl.exeCode function: 0_2_00408B0F push ds; iretd 0_2_00408B21
            Source: C:\Users\user\Desktop\50dEFDImnl.exeCode function: 0_2_00407DD2 push ds; ret 0_2_00407E51
            Source: C:\Users\user\Desktop\50dEFDImnl.exeCode function: 0_2_0040AFBC push es; ret 0_2_0040AFC1
            Source: C:\Users\user\Desktop\50dEFDImnl.exeCode function: 0_2_004075BF push ds; ret 0_2_004075FD
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_01177FE8 push ds; iretd 2_2_01177FEB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FE30700 push esi; iretd 2_2_1FE307B1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FE3000C pushad ; iretd 2_2_1FE30051
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C5E28 pushad ; retf 1FE2h2_2_222C5E2D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_222C1963 push esp; iretd 2_2_222C1969

            Source: C:\Users\user\Desktop\50dEFDImnl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_0117316A 2_2_0117316A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_01173168 2_2_01173168
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\50dEFDImnl.exeRDTSC instruction interceptor: First address: 00000000005B3192 second address: 00000000005B31ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4CD86F514Ah 0x00000004 clc 0x00000005 lfence 0x00000008 cld 0x00000009 shl edx, 20h 0x0000000c nop 0x0000000d or edx, eax 0x0000000f mov esi, edx 0x00000011 pushad 0x00000012 mov eax, 00000001h 0x00000017 cpuid 0x00000019 bt ecx, 1Fh 0x0000001d jc 00007F4CD86F5112h 0x0000001f popad 0x00000020 lfence 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\50dEFDImnl.exeRDTSC instruction interceptor: First address: 00000000005B31ED second address: 00000000005B3192 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jng 00007F4CD8A83BACh 0x00000015 ret 0x00000016 add edi, edx 0x00000018 pop ecx 0x00000019 dec ecx 0x0000001a cmp ecx, 00000000h 0x0000001d jne 00007F4CD8A83C33h 0x0000001f push ecx 0x00000020 call 00007F4CD8A83C5Eh 0x00000025 jmp 00007F4CD8A83C66h 0x00000027 clc 0x00000028 lfence 0x0000002b rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001173192 second address: 00000000011731ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4CD86F514Ah 0x00000004 clc 0x00000005 lfence 0x00000008 cld 0x00000009 shl edx, 20h 0x0000000c nop 0x0000000d or edx, eax 0x0000000f mov esi, edx 0x00000011 pushad 0x00000012 mov eax, 00000001h 0x00000017 cpuid 0x00000019 bt ecx, 1Fh 0x0000001d jc 00007F4CD86F5112h 0x0000001f popad 0x00000020 lfence 0x00000023 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 00000000011731ED second address: 0000000001173192 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jng 00007F4CD8A83BACh 0x00000015 ret 0x00000016 add edi, edx 0x00000018 pop ecx 0x00000019 dec ecx 0x0000001a cmp ecx, 00000000h 0x0000001d jne 00007F4CD8A83C33h 0x0000001f push ecx 0x00000020 call 00007F4CD8A83C5Eh 0x00000025 jmp 00007F4CD8A83C66h 0x00000027 clc 0x00000028 lfence 0x0000002b rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_0117316A rdtsc 2_2_0117316A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\50dEFDImnl.exeAPI coverage: 0.4 %
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -89250s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -59280s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -59094s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -58594s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -87609s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -58188s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -57812s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -56906s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -56688s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -56500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -55812s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -81750s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -54312s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -53594s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -52688s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -52000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -51500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -51280s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -51094s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -50624s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -50000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -49688s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -49500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -49000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -48594s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -48312s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -48094s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -47906s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -47406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -47218s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -46312s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -45906s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -45500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -45218s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -66468s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -66186s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -43594s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -65109s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -64782s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -43000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -42500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -63468s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -42094s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -41188s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -40906s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -39406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -39094s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -38906s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -38000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -37500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -37312s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -37124s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -36812s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -36594s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -54609s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -36124s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -35906s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -34780s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -33906s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -33688s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -30500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -57218s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -56312s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -55406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -55188s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -52500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -46094s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -45000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -44500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -35500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -33218s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -33000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -32812s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -32124s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -31718s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4236Thread sleep time: -30906s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: RegAsm.exe, 00000002.00000002.1202515379.0000000022590000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: RegAsm.exe, 00000002.00000002.1202515379.0000000022590000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: RegAsm.exe, 00000002.00000002.1202515379.0000000022590000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: RegAsm.exe, 00000002.00000002.1197446548.0000000001170000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: RegAsm.exe, 00000002.00000002.1202515379.0000000022590000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_0117073C NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000002_2_0117073C
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\50dEFDImnl.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_0117316A rdtsc 2_2_0117316A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_011737E2 LdrInitializeThunk,2_2_011737E2