Loading ...

Play interactive tourEdit tour

Analysis Report yQDGREHA9h.exe

Overview

General Information

Sample Name:yQDGREHA9h.exe
Analysis ID:321298
MD5:c11d6124ee0522c7ab71d20cf3474dc0
SHA1:c52a64b7189c762b907a9d727950f3d1364c68ba
SHA256:871a7f14c61157dbea48d27f92bc64097e10eb44a9c8ef7543c435e275ca249c
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • yQDGREHA9h.exe (PID: 7020 cmdline: 'C:\Users\user\Desktop\yQDGREHA9h.exe' MD5: C11D6124EE0522C7AB71D20CF3474DC0)
    • RegAsm.exe (PID: 4576 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 4596 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 4496 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • yQDGREHA9h.exe (PID: 6296 cmdline: 'C:\Users\user\Desktop\yQDGREHA9h.exe' MD5: C11D6124EE0522C7AB71D20CF3474DC0)
      • RegAsm.exe (PID: 5760 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "FD4rx", "URL: ": "https://gQdNNrdkwNQuy.com", "To: ": "peter.terkper@gh-wilmar-intl.com", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "VWxfjLlGpC", "From: ": "peter.terkper@gh-wilmar-intl.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.282867614.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.519501217.000000000129F000.00000004.00000020.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.520499133.0000000002DE5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000006.00000002.520499133.0000000002DE5000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.477175512.0000000004577000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.yQDGREHA9h.exe.5360000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.yQDGREHA9h.exe.5550000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                4.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  6.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: RegAsm connects to smtp portShow sources
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 208.91.199.223, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 5760, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49741

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: RegAsm.exe.5760.6.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "FD4rx", "URL: ": "https://gQdNNrdkwNQuy.com", "To: ": "peter.terkper@gh-wilmar-intl.com", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "VWxfjLlGpC", "From: ": "peter.terkper@gh-wilmar-intl.com"}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: yQDGREHA9h.exeVirustotal: Detection: 32%Perma Link
                    Source: yQDGREHA9h.exeReversingLabs: Detection: 51%
                    Machine Learning detection for sampleShow sources
                    Source: yQDGREHA9h.exeJoe Sandbox ML: detected
                    Source: 4.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 6.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49741 -> 208.91.199.223:587
                    May check the online IP address of the machineShow sources
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.5:49741 -> 208.91.199.223:587
                    Source: Joe Sandbox ViewIP Address: 54.235.83.248 54.235.83.248
                    Source: Joe Sandbox ViewIP Address: 54.235.83.248 54.235.83.248
                    Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: global trafficTCP traffic: 192.168.2.5:49741 -> 208.91.199.223:587
                    Source: unknownDNS traffic detected: queries for: g.msn.com
                    Source: RegAsm.exe, 00000004.00000002.284627865.0000000002AD1000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.520365632.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: RegAsm.exe, 00000006.00000002.520365632.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: RegAsm.exe, 00000006.00000002.520365632.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: http://VaMNef.com
                    Source: RegAsm.exe, 00000006.00000002.525712383.0000000005EF2000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: RegAsm.exe, 00000006.00000002.525712383.0000000005EF2000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
                    Source: RegAsm.exe, 00000006.00000002.525712383.0000000005EF2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: RegAsm.exe, 00000006.00000002.520365632.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegAsm.exe, 00000006.00000002.521726463.0000000003052000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: RegAsm.exe, 00000006.00000002.520365632.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegAsm.exe, 00000006.00000002.520365632.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegAsm.exe, 00000006.00000002.520365632.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                    Source: yQDGREHA9h.exe, 00000000.00000003.477175512.0000000004577000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.282867614.0000000000402000.00000040.00000001.sdmp, RegAsm.exe, 00000006.00000002.518041346.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                    Source: RegAsm.exe, 00000004.00000002.284627865.0000000002AD1000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.520365632.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                    Source: RegAsm.exe, 00000006.00000002.520499133.0000000002DE5000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.521789373.0000000003062000.00000004.00000001.sdmpString found in binary or memory: https://gQdNNrdkwNQuy.com
                    Source: RegAsm.exe, 00000006.00000002.525712383.0000000005EF2000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                    Source: yQDGREHA9h.exe, 00000000.00000003.477175512.0000000004577000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.282867614.0000000000402000.00000040.00000001.sdmp, RegAsm.exe, 00000006.00000002.518041346.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: RegAsm.exe, 00000004.00000002.284627865.0000000002AD1000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.520365632.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443

                    System Summary:

                    barindex
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeCode function: 0_2_050A1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_050A1C09
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeCode function: 0_2_050A00AD NtOpenSection,NtMapViewOfSection,0_2_050A00AD
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeCode function: 0_2_005FF5C10_2_005FF5C1
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeCode function: 0_2_027504F00_2_027504F0
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeCode function: 0_2_027504E10_2_027504E1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_029B46A04_2_029B46A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_029B45B04_2_029B45B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_029BD2E04_2_029BD2E0
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeCode function: 5_2_00C8F5C15_2_00C8F5C1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02C246A06_2_02C246A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02C23CF66_2_02C23CF6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02C246306_2_02C24630
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02C245B06_2_02C245B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_06126C606_2_06126C60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_061275306_2_06127530
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_061290F06_2_061290F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_061269186_2_06126918
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_064FC7586_2_064FC758
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_064F37E06_2_064F37E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_064F8F906_2_064F8F90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_064F1DB06_2_064F1DB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_064F30C86_2_064F30C8
                    Source: yQDGREHA9h.exe, 00000000.00000003.477175512.0000000004577000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepwsSelYjnDuiaJji.bounce.exe4 vs yQDGREHA9h.exe
                    Source: yQDGREHA9h.exe, 00000000.00000003.477175512.0000000004577000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSWPZhCERqvWyNKntNHGDwfCzykBRDdaNrNk.exe4 vs yQDGREHA9h.exe
                    Source: yQDGREHA9h.exe, 00000000.00000002.530220941.0000000006870000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs yQDGREHA9h.exe
                    Source: yQDGREHA9h.exe, 00000000.00000002.530394947.0000000006960000.00000002.00000001.sdmpBinary or memory string: originalfilename vs yQDGREHA9h.exe
                    Source: yQDGREHA9h.exe, 00000000.00000002.530394947.0000000006960000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs yQDGREHA9h.exe
                    Source: yQDGREHA9h.exe, 00000005.00000002.529019717.00000000057E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepwsSelYjnDuiaJji.bounce.exe4 vs yQDGREHA9h.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: yQDGREHA9h.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/0@4/2
                    Source: yQDGREHA9h.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: yQDGREHA9h.exeVirustotal: Detection: 32%
                    Source: yQDGREHA9h.exeReversingLabs: Detection: 51%
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeFile read: C:\Users\user\Desktop\yQDGREHA9h.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\yQDGREHA9h.exe 'C:\Users\user\Desktop\yQDGREHA9h.exe'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\yQDGREHA9h.exe 'C:\Users\user\Desktop\yQDGREHA9h.exe'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess created: C:\Users\user\Desktop\yQDGREHA9h.exe 'C:\Users\user\Desktop\yQDGREHA9h.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: yQDGREHA9h.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: yQDGREHA9h.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0612F4E0 pushad ; iretd 6_2_0612F929
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0612E6C5 push BA000000h; ret 6_2_0612E6D2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_064F7620 push es; ret 6_2_064F86C4
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.8672821185
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    barindex
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeWindow / User API: threadDelayed 486Jump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeWindow / User API: threadDelayed 2389Jump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeWindow / User API: threadDelayed 1768Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 732Jump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exe TID: 7024Thread sleep time: -47780s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exe TID: 6464Thread sleep count: 263 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exe TID: 6352Thread sleep count: 1768 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exe TID: 6352Thread sleep time: -35360s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5616Thread sleep count: 62 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5616Thread sleep count: 732 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -59500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -118624s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -58406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -58186s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -58000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -86718s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -57312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -57094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -56906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -113372s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -111624s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -111188s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -54906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -54686s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -109000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -81468s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -53812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -53594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -106812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -106372s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -52500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -104624s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -52094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -51406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -51186s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -76500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -101624s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -50312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -50094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -74859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -99372s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -99000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -49000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -97624s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -97188s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -47686s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -95000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -94624s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -46812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -46594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -92812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -92372s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -45500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -90624s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -90188s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -44406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -44186s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -44000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -87624s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -43312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -64359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -64029s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -42000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -41812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -62391s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -40906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -60750s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -60468s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -59109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -58779s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -38906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -38686s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -38186s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -37906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -37686s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -56250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -74624s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -37094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -36812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -54279s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -53250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -52968s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -51279s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -51000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -33312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -33094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -49359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -32686s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -32500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -32312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -48000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -31812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -30906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -30686s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -30500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -30312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -89718s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -59594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -88359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -88029s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -58500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -86391s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -57406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -84750s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -56312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -56094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -83109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -82779s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -54812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -54094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -53906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -53686s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -53000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -79218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -52594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -77859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -77529s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -51500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -51312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -75891s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -50406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -73968s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -72609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -72279s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -47812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -70641s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -46686s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -46000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -68718s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -45594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -44906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -67029s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -44500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -44312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -65391s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -43406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -43186s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -42500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -42312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -62109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -41186s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -41000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -40094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -39686s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -39000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -38594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -38312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -38094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -37000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -36594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -36406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -35686s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -35094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -34594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -34406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -33500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180Thread sleep time: -31094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                    Source: RegAsm.exe, 00000004.00000002.290060976.0000000005D00000.00000002.00000001.sdmp, RegAsm.exe, 00000006.00000002.525797285.0000000005F90000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: RegAsm.exe, 00000006.00000003.512671288.0000000005EEC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-$
                    Source: RegAsm.exe, 00000004.00000002.290060976.0000000005D00000.00000002.00000001.sdmp, RegAsm.exe, 00000006.00000002.525797285.0000000005F90000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: RegAsm.exe, 00000004.00000002.290060976.0000000005D00000.00000002.00000001.sdmp, RegAsm.exe, 00000006.00000002.525797285.0000000005F90000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: RegAsm.exe, 00000004.00000002.290060976.0000000005D00000.00000002.00000001.sdmp, RegAsm.exe, 00000006.00000002.525797285.0000000005F90000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0612C8BE KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,KiUserExceptionDispatcher,6_2_0612C8BE
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeCode function: 0_2_050A01CB mov eax, dword ptr fs:[00000030h]0_2_050A01CB
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeCode function: 0_2_050A00AD mov ecx, dword ptr fs:[00000030h]0_2_050A00AD
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeCode function: 0_2_050A00AD mov eax, dword ptr fs:[00000030h]0_2_050A00AD
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Maps a DLL or memory area into another processShow sources
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regionsShow sources
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 976008Jump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                    Source: C:\Users\user\Desktop\yQDGREHA9h.exeProcess created: C:\Users\user\Desktop\yQDGREHA9h.exe 'C:\Users\user\Desktop\yQDGREHA9h.exe' Jump to behavior