Loading ...

Play interactive tourEdit tour

Analysis Report dd.exe

Overview

General Information

Sample Name:dd.exe
Analysis ID:380091
MD5:287073f3d2c3100ba375b7bf0db3b0d9
SHA1:8e09353697169cd3caaf49a008d53ade63b25526
SHA256:f32f7005937b4c94ff31996fde6a0843c05bfb47458ad29a15ddf3fb70c435d2
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Potential malicious icon found
Yara detected AgentTesla
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates multiple autostart registry keys
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • dd.exe (PID: 7144 cmdline: 'C:\Users\user\Desktop\dd.exe' MD5: 287073F3D2C3100BA375B7BF0DB3B0D9)
    • ieinstal.exe (PID: 6660 cmdline: 'C:\Users\user\Desktop\dd.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • ota.exe (PID: 7132 cmdline: 'C:\Users\user\AppData\Local\Temp\ota.exe' MD5: F22F008D6287349195ADEF8975497D1F)
        • RegAsm.exe (PID: 900 cmdline: 'C:\Users\user\AppData\Local\Temp\ota.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
          • conhost.exe (PID: 4744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • asparagussens.exe (PID: 6004 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: F22F008D6287349195ADEF8975497D1F)
  • asparagussens.exe (PID: 1496 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: F22F008D6287349195ADEF8975497D1F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: dd.exe PID: 7144JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
        Process Memory Space: RegAsm.exe PID: 900JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 900JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/Avira URL Cloud: Label: malware
            Source: https://www.sogecoenergy.com/or/ag.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/or/ag.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/ot/ot.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/%Avira URL Cloud: Label: malware
            Source: dd.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 116.203.34.79:443 -> 192.168.2.4:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.4:49748 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.4:49769 version: TLS 1.2
            Source: global trafficTCP traffic: 192.168.2.4:49749 -> 79.134.225.109:6090
            Source: Joe Sandbox ViewIP Address: 79.134.225.109 79.134.225.109
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownDNS traffic detected: queries for: www.sogecoenergy.com
            Source: RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpString found in binary or memory: http://aMDPVn.com
            Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/05
            Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: ieinstal.exe, 00000004.00000002.935357606.00000000036AE000.00000004.00000020.sdmpString found in binary or memory: http://www.yandex.com
            Source: RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
            Source: ieinstal.exe, 00000004.00000003.746499859.00000000036CB000.00000004.00000001.sdmpString found in binary or memory: https://ma.yandex.com/
            Source: ieinstal.exe, 00000004.00000002.935357606.00000000036AE000.00000004.00000020.sdmpString found in binary or memory: https://mariotessarollo.com/
            Source: ieinstal.exe, 00000004.00000002.935357606.00000000036AE000.00000004.00000020.sdmpString found in binary or memory: https://mariotessarollo.com/%
            Source: RegAsm.exeString found in binary or memory: https://mariotessarollo.com/or/ag.bin
            Source: RegAsm.exe, 0000000B.00000002.919392238.0000000000F01000.00000040.00000001.sdmpString found in binary or memory: https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.bin
            Source: ieinstal.exeString found in binary or memory: https://mariotessarollo.com/ot/ot.bin
            Source: ieinstal.exe, 00000004.00000002.935179958.0000000003251000.00000040.00000001.sdmpString found in binary or memory: https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.bin
            Source: RegAsm.exeString found in binary or memory: https://www.sogecoenergy.com/or/ag.bin
            Source: ieinstal.exeString found in binary or memory: https://www.sogecoenergy.com/ot/ot.bin
            Source: ieinstal.exeString found in binary or memory: https://www.sogecoenergy.com/ota.bin
            Source: RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: unknownHTTPS traffic detected: 116.203.34.79:443 -> 192.168.2.4:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.4:49748 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.4:49769 version: TLS 1.2

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02160E24 NtWriteVirtualMemory,0_2_02160E24
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021606D1 NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,0_2_021606D1
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165AE2 NtProtectVirtualMemory,0_2_02165AE2
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165F1D NtMapViewOfSection,0_2_02165F1D
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216049A EnumWindows,NtSetInformationThread,0_2_0216049A
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216261F NtWriteVirtualMemory,0_2_0216261F
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162200 NtWriteVirtualMemory,0_2_02162200
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166208 NtMapViewOfSection,0_2_02166208
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02160634 NtSetInformationThread,0_2_02160634
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166223 NtMapViewOfSection,0_2_02166223
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162250 NtWriteVirtualMemory,0_2_02162250
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166243 NtMapViewOfSection,0_2_02166243
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216164F NtSetInformationThread,0_2_0216164F
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02160678 NtSetInformationThread,0_2_02160678
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162667 NtWriteVirtualMemory,0_2_02162667
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166264 NtMapViewOfSection,0_2_02166264
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165A92 NtProtectVirtualMemory,0_2_02165A92
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216268F NtWriteVirtualMemory,0_2_0216268F
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165A8D NtProtectVirtualMemory,0_2_02165A8D
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021622B6 NtWriteVirtualMemory,0_2_021622B6
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02160ED4 NtWriteVirtualMemory,0_2_02160ED4
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021622F0 NtWriteVirtualMemory,0_2_021622F0
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216231C NtWriteVirtualMemory,0_2_0216231C
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162F0C NtSetInformationThread,0_2_02162F0C
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165F30 NtMapViewOfSection,0_2_02165F30
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162350 NtWriteVirtualMemory,0_2_02162350
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165F5A NtMapViewOfSection,0_2_02165F5A
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165F78 NtMapViewOfSection,0_2_02165F78
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162393 NtWriteVirtualMemory,0_2_02162393
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165FA8 NtMapViewOfSection,0_2_02165FA8
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021623D4 NtWriteVirtualMemory,0_2_021623D4
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165FD8 NtMapViewOfSection,0_2_02165FD8
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165FC8 NtMapViewOfSection,0_2_02165FC8
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165FF4 NtMapViewOfSection,0_2_02165FF4
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166010 NtMapViewOfSection,0_2_02166010
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162424 NtWriteVirtualMemory,0_2_02162424
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162452 NtWriteVirtualMemory,0_2_02162452
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166040 NtMapViewOfSection,0_2_02166040
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166068 NtMapViewOfSection,0_2_02166068
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02164898 NtSetInformationThread,0_2_02164898
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162487 NtWriteVirtualMemory,0_2_02162487
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166088 NtMapViewOfSection,0_2_02166088
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021660A6 NtMapViewOfSection,0_2_021660A6
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021660D8 NtMapViewOfSection,0_2_021660D8
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021660C4 NtMapViewOfSection,0_2_021660C4
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021660FC NtMapViewOfSection,0_2_021660FC
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021628E5 NtWriteVirtualMemory,0_2_021628E5
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166133 NtMapViewOfSection,0_2_02166133
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216053B NtSetInformationThread,0_2_0216053B
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162547 NtWriteVirtualMemory,0_2_02162547
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216057F NtSetInformationThread,0_2_0216057F
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216257C NtWriteVirtualMemory,0_2_0216257C
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02160560 NtSetInformationThread,0_2_02160560
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216616A NtMapViewOfSection,0_2_0216616A
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216619D NtMapViewOfSection,0_2_0216619D
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216218C NtWriteVirtualMemory,0_2_0216218C
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216058B NtSetInformationThread,0_2_0216058B
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021625B4 NtWriteVirtualMemory,0_2_021625B4
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021655A7 NtWriteVirtualMemory,0_2_021655A7
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021661D8 NtMapViewOfSection,0_2_021661D8
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021605F8 NtSetInformationThread,0_2_021605F8
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021625EC NtWriteVirtualMemory,0_2_021625EC
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021661EC NtMapViewOfSection,0_2_021661EC
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251F4B LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,4_2_03251F4B
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252BC0 LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,4_2_03252BC0
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252BDA LdrInitializeThunk,NtProtectVirtualMemory,4_2_03252BDA
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252AB2 LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,LoadLibraryA,4_2_03252AB2
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251EEC TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,4_2_03251EEC
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03255ADF LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,4_2_03255ADF
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251F2E TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,4_2_03251F2E
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251F07 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,4_2_03251F07
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251F7C TerminateThread,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,4_2_03251F7C
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252B54 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,4_2_03252B54
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252BA4 LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,4_2_03252BA4
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251FA2 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,4_2_03251FA2
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252BBC LdrInitializeThunk,NtProtectVirtualMemory,4_2_03252BBC
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251FD3 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,4_2_03251FD3
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03255A8C LdrInitializeThunk,NtProtectVirtualMemory,4_2_03255A8C
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03255A92 LdrInitializeThunk,NtProtectVirtualMemory,4_2_03255A92
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251E9B TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,4_2_03251E9B
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252D04 NtProtectVirtualMemory,LdrInitializeThunk,4_2_03252D04
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251D96 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,4_2_03251D96
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252C33 LdrInitializeThunk,NtProtectVirtualMemory,4_2_03252C33
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252003 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,4_2_03252003
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252C13 LdrInitializeThunk,NtProtectVirtualMemory,4_2_03252C13
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252C60 LdrInitializeThunk,NtProtectVirtualMemory,4_2_03252C60
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252C7B LdrInitializeThunk,NtProtectVirtualMemory,4_2_03252C7B
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252CB4 LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,4_2_03252CB4
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252CCC LdrInitializeThunk,NtProtectVirtualMemory,4_2_03252CCC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F0646B NtProtectVirtualMemory,11_2_00F0646B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F06048 NtProtectVirtualMemory,11_2_00F06048
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F05DFF NtProtectVirtualMemory,11_2_00F05DFF
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_004015946_2_00401594
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_1D9147A011_2_1D9147A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_1D91479011_2_1D914790
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_1D91477311_2_1D914773
            Source: dd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ota.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: asparagussens.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dd.exe, 00000000.00000002.751462403.00000000020A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs dd.exe
            Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbitPOWbit vs dd.exe
            Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbitz vs dd.exe
            Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbit+ vs dd.exe
            Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbit vs dd.exe
            Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbitI vs dd.exe
            Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbit6 vs dd.exe
            Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbitT vs dd.exe
            Source: dd.exe, 00000000.00000002.751006160.0000000000419000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exe vs dd.exe
            Source: dd.exeBinary or memory string: OriginalFilenameMandfolkene7.exe vs dd.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: dd.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@10/3@3/3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\Afkodedes8Jump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\nxADcmgE
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4744:120:WilError_01
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Local\Temp\Lageradministrationernes5Jump to behavior
            Source: dd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\dd.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ota.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\dd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\dd.exe 'C:\Users\user\Desktop\dd.exe'
            Source: C:\Users\user\Desktop\dd.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\dd.exe'
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Afkodedes8\asparagussens.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
            Source: unknownProcess created: C:\Users\user\Afkodedes8\asparagussens.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
            Source: C:\Users\user\Desktop\dd.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\dd.exe' Jump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 900, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: asparagussens.exe PID: 6004, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: asparagussens.exe PID: 1496, type: MEMORY
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: dd.exe PID: 7144, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: asparagussens.exe PID: 6004, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: asparagussens.exe PID: 1496, type: MEMORY
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03254B2C LoadLibraryA,GetProcAddress,4_2_03254B2C
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_02193E13 push eax; ret 6_2_02193E35
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021962CE push eax; ret 6_2_02196328
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021962F8 push eax; ret 6_2_02196328
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_02195B0B push ebp; retf 6_2_02195B22
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021933B3 push ss; ret 6_2_021933B5
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021903EC push eax; ret 6_2_021903ED
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_02193890 pushfd ; retf 6_2_021938D7
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021938BB pushfd ; retf 6_2_021938D7
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021938D8 pushfd ; retf 6_2_021938D7
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_02192CD8 push ecx; ret 6_2_02192CD9
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_0219396E pushfd ; retf 6_2_0219396F
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_02191967 pushfd ; retf 6_2_021919AB
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021959A8 push ebp; retf 6_2_02195B22
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021945D3 pushfd ; ret 6_2_021945EB
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021945F0 pushfd ; ret 6_2_021945EB
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021919EF pushfd ; retf 6_2_021919AB
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021915E4 push ecx; ret 6_2_021915E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F040B1 push ecx; ret 11_2_00F04080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F0403E push ecx; ret 11_2_00F04080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F03F87 push ds; retf 11_2_00F03F9F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_1D913838 push ds; ret 11_2_1D9137E7
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Local\Temp\ota.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\Afkodedes8\asparagussens.exeJump to dropped file

            Boot Survival:

            barindex
            Creates multiple autostart registry keysShow sources
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologiskJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologiskJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologiskJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX