Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report dd.exe

Overview

General Information

Sample Name:dd.exe
Analysis ID:380091
MD5:287073f3d2c3100ba375b7bf0db3b0d9
SHA1:8e09353697169cd3caaf49a008d53ade63b25526
SHA256:f32f7005937b4c94ff31996fde6a0843c05bfb47458ad29a15ddf3fb70c435d2
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Potential malicious icon found
Yara detected AgentTesla
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates multiple autostart registry keys
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • dd.exe (PID: 7144 cmdline: 'C:\Users\user\Desktop\dd.exe' MD5: 287073F3D2C3100BA375B7BF0DB3B0D9)
    • ieinstal.exe (PID: 6660 cmdline: 'C:\Users\user\Desktop\dd.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • ota.exe (PID: 7132 cmdline: 'C:\Users\user\AppData\Local\Temp\ota.exe' MD5: F22F008D6287349195ADEF8975497D1F)
        • RegAsm.exe (PID: 900 cmdline: 'C:\Users\user\AppData\Local\Temp\ota.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
          • conhost.exe (PID: 4744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • asparagussens.exe (PID: 6004 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: F22F008D6287349195ADEF8975497D1F)
  • asparagussens.exe (PID: 1496 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: F22F008D6287349195ADEF8975497D1F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: dd.exe PID: 7144JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
        Process Memory Space: RegAsm.exe PID: 900JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 900JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/Avira URL Cloud: Label: malware
            Source: https://www.sogecoenergy.com/or/ag.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/or/ag.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/ot/ot.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/%Avira URL Cloud: Label: malware
            Source: dd.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 116.203.34.79:443 -> 192.168.2.4:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.4:49748 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.4:49769 version: TLS 1.2
            Source: global trafficTCP traffic: 192.168.2.4:49749 -> 79.134.225.109:6090
            Source: Joe Sandbox ViewIP Address: 79.134.225.109 79.134.225.109
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownDNS traffic detected: queries for: www.sogecoenergy.com
            Source: RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpString found in binary or memory: http://aMDPVn.com
            Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/05
            Source: ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: ieinstal.exe, 00000004.00000002.935357606.00000000036AE000.00000004.00000020.sdmpString found in binary or memory: http://www.yandex.com
            Source: RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
            Source: ieinstal.exe, 00000004.00000003.746499859.00000000036CB000.00000004.00000001.sdmpString found in binary or memory: https://ma.yandex.com/
            Source: ieinstal.exe, 00000004.00000002.935357606.00000000036AE000.00000004.00000020.sdmpString found in binary or memory: https://mariotessarollo.com/
            Source: ieinstal.exe, 00000004.00000002.935357606.00000000036AE000.00000004.00000020.sdmpString found in binary or memory: https://mariotessarollo.com/%
            Source: RegAsm.exeString found in binary or memory: https://mariotessarollo.com/or/ag.bin
            Source: RegAsm.exe, 0000000B.00000002.919392238.0000000000F01000.00000040.00000001.sdmpString found in binary or memory: https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.bin
            Source: ieinstal.exeString found in binary or memory: https://mariotessarollo.com/ot/ot.bin
            Source: ieinstal.exe, 00000004.00000002.935179958.0000000003251000.00000040.00000001.sdmpString found in binary or memory: https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.bin
            Source: RegAsm.exeString found in binary or memory: https://www.sogecoenergy.com/or/ag.bin
            Source: ieinstal.exeString found in binary or memory: https://www.sogecoenergy.com/ot/ot.bin
            Source: ieinstal.exeString found in binary or memory: https://www.sogecoenergy.com/ota.bin
            Source: RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: unknownHTTPS traffic detected: 116.203.34.79:443 -> 192.168.2.4:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.4:49748 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.4:49769 version: TLS 1.2

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02160E24 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021606D1 NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165AE2 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165F1D NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216049A EnumWindows,NtSetInformationThread,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216261F NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162200 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166208 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02160634 NtSetInformationThread,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166223 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162250 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166243 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216164F NtSetInformationThread,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02160678 NtSetInformationThread,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162667 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166264 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165A92 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216268F NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165A8D NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021622B6 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02160ED4 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021622F0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216231C NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162F0C NtSetInformationThread,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165F30 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162350 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165F5A NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165F78 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162393 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165FA8 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021623D4 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165FD8 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165FC8 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165FF4 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166010 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162424 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162452 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166040 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166068 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02164898 NtSetInformationThread,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162487 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166088 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021660A6 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021660D8 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021660C4 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021660FC NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021628E5 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02166133 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216053B NtSetInformationThread,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162547 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216057F NtSetInformationThread,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216257C NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02160560 NtSetInformationThread,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216616A NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216619D NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216218C NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216058B NtSetInformationThread,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021625B4 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021655A7 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021661D8 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021605F8 NtSetInformationThread,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021625EC NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021661EC NtMapViewOfSection,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251F4B LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252BC0 LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252BDA LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252AB2 LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,LoadLibraryA,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251EEC TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03255ADF LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251F2E TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251F07 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251F7C TerminateThread,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252B54 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252BA4 LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251FA2 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252BBC LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251FD3 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03255A8C LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03255A92 LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251E9B TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252D04 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251D96 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252C33 LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252003 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252C13 LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252C60 LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252C7B LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252CB4 LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03252CCC LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F0646B NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F06048 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F05DFF NtProtectVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_00401594
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_1D9147A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_1D914790
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_1D914773
            Source: dd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ota.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: asparagussens.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dd.exe, 00000000.00000002.751462403.00000000020A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs dd.exe
            Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbitPOWbit vs dd.exe
            Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbitz vs dd.exe
            Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbit+ vs dd.exe
            Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbit vs dd.exe
            Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbitI vs dd.exe
            Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbit6 vs dd.exe
            Source: dd.exe, 00000000.00000002.752076052.00000000028E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exeFE2XPOWbitT vs dd.exe
            Source: dd.exe, 00000000.00000002.751006160.0000000000419000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMandfolkene7.exe vs dd.exe
            Source: dd.exeBinary or memory string: OriginalFilenameMandfolkene7.exe vs dd.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: dd.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@10/3@3/3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\Afkodedes8Jump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\nxADcmgE
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4744:120:WilError_01
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Local\Temp\Lageradministrationernes5Jump to behavior
            Source: dd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\dd.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\AppData\Local\Temp\ota.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\Afkodedes8\asparagussens.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\Afkodedes8\asparagussens.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\dd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\dd.exe 'C:\Users\user\Desktop\dd.exe'
            Source: C:\Users\user\Desktop\dd.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\dd.exe'
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Afkodedes8\asparagussens.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
            Source: unknownProcess created: C:\Users\user\Afkodedes8\asparagussens.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
            Source: C:\Users\user\Desktop\dd.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\dd.exe'
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 900, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: asparagussens.exe PID: 6004, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: asparagussens.exe PID: 1496, type: MEMORY
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: dd.exe PID: 7144, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: asparagussens.exe PID: 6004, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: asparagussens.exe PID: 1496, type: MEMORY
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03254B2C LoadLibraryA,GetProcAddress,
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_02193E13 push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021962CE push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021962F8 push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_02195B0B push ebp; retf
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021933B3 push ss; ret
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021903EC push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_02193890 pushfd ; retf
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021938BB pushfd ; retf
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021938D8 pushfd ; retf
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_02192CD8 push ecx; ret
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_0219396E pushfd ; retf
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_02191967 pushfd ; retf
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021959A8 push ebp; retf
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021945D3 pushfd ; ret
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021945F0 pushfd ; ret
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021919EF pushfd ; retf
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 6_2_021915E4 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F040B1 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F0403E push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F03F87 push ds; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_1D913838 push ds; ret
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Local\Temp\ota.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\Afkodedes8\asparagussens.exeJump to dropped file

            Boot Survival:

            barindex
            Creates multiple autostart registry keysShow sources
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologiskJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologiskJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologiskJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\dd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021606D1 NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02160798 TerminateProcess,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021607B4 TerminateProcess,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02160808 TerminateProcess,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02160836 TerminateProcess,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02160870 TerminateProcess,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021608A8 TerminateProcess,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021608D8 TerminateProcess,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216090B TerminateProcess,
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\dd.exeRDTSC instruction interceptor: First address: 000000000216124D second address: 000000000216124D instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F8128E2BBB8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test ebx, ecx 0x0000001f pop ecx 0x00000020 test ah, dh 0x00000022 add edi, edx 0x00000024 dec ecx 0x00000025 jmp 00007F8128E2BBC2h 0x00000027 cmp dl, dl 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F8128E2BB89h 0x0000002e cmp ecx, ebx 0x00000030 push ecx 0x00000031 call 00007F8128E2BBF5h 0x00000036 call 00007F8128E2BBC8h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc
            Source: C:\Users\user\Desktop\dd.exeRDTSC instruction interceptor: First address: 00000000021605B3 second address: 00000000021605B3 instructions:
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRDTSC instruction interceptor: First address: 0000000003251545 second address: 0000000003251545 instructions:
            Source: C:\Users\user\AppData\Local\Temp\ota.exeRDTSC instruction interceptor: First address: 0000000002192D2B second address: 0000000002192D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F8128D67C28h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007F8128D67C32h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F8128D67BF6h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007F8128D67C6Ah 0x00000039 call 00007F8128D67C38h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
            Source: C:\Users\user\AppData\Local\Temp\ota.exeRDTSC instruction interceptor: First address: 0000000002192338 second address: 0000000002192338 instructions:
            Source: C:\Users\user\AppData\Local\Temp\ota.exeRDTSC instruction interceptor: First address: 00000000021925E9 second address: 00000000021925E9 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F01765 second address: 0000000000F01765 instructions:
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\dd.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\Desktop\dd.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\AppData\Local\Temp\ota.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\AppData\Local\Temp\ota.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\qga\qga.exe
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: dd.exe, 00000000.00000002.751509325.0000000002160000.00000040.00000001.sdmp, ieinstal.exe, 00000004.00000002.935179958.0000000003251000.00000040.00000001.sdmp, RegAsm.exe, asparagussens.exe, 0000000F.00000002.948974883.00000000022F0000.00000040.00000001.sdmp, asparagussens.exe, 00000011.00000002.928559050.00000000020C0000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\dd.exeRDTSC instruction interceptor: First address: 000000000216124D second address: 000000000216124D instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F8128E2BBB8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test ebx, ecx 0x0000001f pop ecx 0x00000020 test ah, dh 0x00000022 add edi, edx 0x00000024 dec ecx 0x00000025 jmp 00007F8128E2BBC2h 0x00000027 cmp dl, dl 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F8128E2BB89h 0x0000002e cmp ecx, ebx 0x00000030 push ecx 0x00000031 call 00007F8128E2BBF5h 0x00000036 call 00007F8128E2BBC8h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc
            Source: C:\Users\user\Desktop\dd.exeRDTSC instruction interceptor: First address: 00000000021613D8 second address: 00000000021613D8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F8128D6BC47h 0x0000001d popad 0x0000001e call 00007F8128D67C2Dh 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\dd.exeRDTSC instruction interceptor: First address: 00000000021605B3 second address: 00000000021605B3 instructions:
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRDTSC instruction interceptor: First address: 00000000032513D8 second address: 00000000032513D8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F8128D6BC47h 0x0000001d popad 0x0000001e call 00007F8128D67C2Dh 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRDTSC instruction interceptor: First address: 0000000003251545 second address: 0000000003251545 instructions:
            Source: C:\Users\user\AppData\Local\Temp\ota.exeRDTSC instruction interceptor: First address: 0000000002192D2B second address: 0000000002192D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F8128D67C28h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007F8128D67C32h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F8128D67BF6h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007F8128D67C6Ah 0x00000039 call 00007F8128D67C38h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
            Source: C:\Users\user\AppData\Local\Temp\ota.exeRDTSC instruction interceptor: First address: 0000000002192F18 second address: 0000000002192F18 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F8128E2E293h 0x0000001d popad 0x0000001e call 00007F8128E2BC09h 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\ota.exeRDTSC instruction interceptor: First address: 0000000002192338 second address: 0000000002192338 instructions:
            Source: C:\Users\user\AppData\Local\Temp\ota.exeRDTSC instruction interceptor: First address: 00000000021925E9 second address: 00000000021925E9 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F02F18 second address: 0000000000F02F18 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F8128D6A303h 0x0000001d popad 0x0000001e call 00007F8128D67C79h 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F01765 second address: 0000000000F01765 instructions:
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021606D1 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeWindow / User API: threadDelayed 3820
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 3220
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 6492
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeAPI coverage: 7.5 %
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 6912Thread sleep count: 3820 > 30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2896Thread sleep time: -20291418481080494s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread sleep count: Count: 3820 delay: -5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
            Source: RegAsm.exe, 0000000B.00000002.983678402.00000000205C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: RegAsm.exe, 0000000B.00000002.983678402.00000000205C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: dd.exe, 00000000.00000002.751509325.0000000002160000.00000040.00000001.sdmp, ieinstal.exe, 00000004.00000002.935179958.0000000003251000.00000040.00000001.sdmp, RegAsm.exe, asparagussens.exe, 0000000F.00000002.948974883.00000000022F0000.00000040.00000001.sdmp, asparagussens.exe, 00000011.00000002.928559050.00000000020C0000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: RegAsm.exe, 0000000B.00000002.983678402.00000000205C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: RegAsm.exe, 0000000B.00000002.983678402.00000000205C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformation

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021606D1 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000004
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\dd.exeThread information set: HideFromDebugger
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread information set: HideFromDebugger
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread information set: HideFromDebugger
            Source: C:\Users\user\AppData\Local\Temp\ota.exeThread information set: HideFromDebugger
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021606D1 rdtsc
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02162DAF LdrInitializeThunk,
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03254B2C LoadLibraryA,GetProcAddress,
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02165612 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02161E06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216565B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02164658 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02161E40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216164F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02164668 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_0216568C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02164707 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02164F70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02164F79 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02161D96 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021655B4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02161DB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021655A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021629DC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_021655CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02161DEB mov eax, dword ptr fs:[00000030h]
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03254707 mov eax, dword ptr fs:[00000030h]
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03254F70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03254F79 mov eax, dword ptr fs:[00000030h]
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03255612 mov eax, dword ptr fs:[00000030h]
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03254668 mov eax, dword ptr fs:[00000030h]
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03254658 mov eax, dword ptr fs:[00000030h]
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_0325565B mov eax, dword ptr fs:[00000030h]
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_0325568C mov eax, dword ptr fs:[00000030h]
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_032555A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_032555B4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_032555CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_032529D9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F048DC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F050B5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F05BCB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00F05B66 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_03251F4B LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\dd.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3250000
            Source: C:\Users\user\AppData\Local\Temp\ota.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F00000
            Source: C:\Users\user\Desktop\dd.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\dd.exe'
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
            Source: ieinstal.exe, 00000004.00000002.935400818.0000000003AB0000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.934748300.0000000001710000.00000002.00000001.sdmp, asparagussens.exe, 0000000F.00000002.918107816.0000000000DE0000.00000002.00000001.sdmp, asparagussens.exe, 00000011.00000002.917567231.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: ieinstal.exe, 00000004.00000002.935400818.0000000003AB0000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.934748300.0000000001710000.00000002.00000001.sdmp, asparagussens.exe, 0000000F.00000002.918107816.0000000000DE0000.00000002.00000001.sdmp, asparagussens.exe, 00000011.00000002.917567231.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: ieinstal.exe, 00000004.00000002.935400818.0000000003AB0000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.934748300.0000000001710000.00000002.00000001.sdmp, asparagussens.exe, 0000000F.00000002.918107816.0000000000DE0000.00000002.00000001.sdmp, asparagussens.exe, 00000011.00000002.917567231.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: ieinstal.exe, 00000004.00000002.935400818.0000000003AB0000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.934748300.0000000001710000.00000002.00000001.sdmp, asparagussens.exe, 0000000F.00000002.918107816.0000000000DE0000.00000002.00000001.sdmp, asparagussens.exe, 00000011.00000002.917567231.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\dd.exeCode function: 0_2_02160A82 cpuid
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 900, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 900, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 900, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder11Process Injection112Masquerading1OS Credential DumpingSecurity Software Discovery841Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1DLL Side-Loading1Registry Run Keys / Startup Folder11Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion361Security Account ManagerVirtualization/Sandbox Evasion361SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery423Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 380091 Sample: dd.exe Startdate: 01/04/2021 Architecture: WINDOWS Score: 100 43 Potential malicious icon found 2->43 45 Antivirus detection for URL or domain 2->45 47 Yara detected GuLoader 2->47 49 5 other signatures 2->49 9 dd.exe 1 2->9         started        12 asparagussens.exe 2->12         started        14 asparagussens.exe 2->14         started        process3 signatures4 65 Contains functionality to detect hardware virtualization (CPUID execution measurement) 9->65 67 Writes to foreign memory regions 9->67 69 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 9->69 71 4 other signatures 9->71 16 ieinstal.exe 1 11 9->16         started        process5 dnsIp6 35 mariotessarollo.com 185.81.0.109, 443, 49748, 49769 SERVERPLAN-ASIT Italy 16->35 37 sogecoenergy.com 116.203.34.79, 443, 49745 HETZNER-ASDE Germany 16->37 39 2 other IPs or domains 16->39 31 C:\Users\user\AppData\Local\Temp\ota.exe, PE32 16->31 dropped 51 Creates multiple autostart registry keys 16->51 53 Tries to detect Any.run 16->53 55 Hides threads from debuggers 16->55 21 ota.exe 1 16->21         started        file7 signatures8 process9 signatures10 57 Writes to foreign memory regions 21->57 59 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 21->59 61 Tries to detect Any.run 21->61 63 2 other signatures 21->63 24 RegAsm.exe 1 11 21->24         started        process11 dnsIp12 41 mariotessarollo.com 24->41 33 C:\Users\user\Afkodedes8\asparagussens.exe, PE32 24->33 dropped 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->75 77 Creates multiple autostart registry keys 24->77 79 4 other signatures 24->79 29 conhost.exe 24->29         started        file13 signatures14 process15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
            https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.bin100%Avira URL Cloudmalware
            http://DynDns.comDynDNS0%URL Reputationsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            https://www.sogecoenergy.com/ota.bin0%Avira URL Cloudsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            https://mariotessarollo.com/100%Avira URL Cloudmalware
            http://r3.i.lencr.org/050%Avira URL Cloudsafe
            https://www.sogecoenergy.com/ot/ot.bin0%Avira URL Cloudsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            https://www.sogecoenergy.com/or/ag.bin100%Avira URL Cloudmalware
            https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
            https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
            https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
            https://mariotessarollo.com/or/ag.bin100%Avira URL Cloudmalware
            https://mariotessarollo.com/ot/ot.bin100%Avira URL Cloudmalware
            https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.bin100%Avira URL Cloudmalware
            http://aMDPVn.com0%Avira URL Cloudsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            https://mariotessarollo.com/%100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            sogecoenergy.com
            		116.203.34.79
            		truefalse
              		unknown
              mariotessarollo.com
              		185.81.0.109
              		truefalse
                		unknown
                www.sogecoenergy.com
                		unknown
                		unknownfalse
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.binRegAsm.exe, 0000000B.00000002.919392238.0000000000F01000.00000040.00000001.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://DynDns.comDynDNSRegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://www.sogecoenergy.com/ota.binieinstal.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://cps.letsencrypt.org0ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://mariotessarollo.com/ieinstal.exe, 00000004.00000002.935357606.00000000036AE000.00000004.00000020.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://r3.i.lencr.org/05ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.sogecoenergy.com/ot/ot.binieinstal.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://r3.o.lencr.org0ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://www.sogecoenergy.com/or/ag.binRegAsm.exetrue
                  • Avira URL Cloud: malware
                  		unknown
                  https://api.ipify.org%GETMozilla/5.0RegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		low
                  https://ma.yandex.com/ieinstal.exe, 00000004.00000003.746499859.00000000036CB000.00000004.00000001.sdmpfalse
                    		high
                    http://www.yandex.comieinstal.exe, 00000004.00000002.935357606.00000000036AE000.00000004.00000020.sdmpfalse
                      		high
                      https://mariotessarollo.com/or/ag.binRegAsm.exetrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://mariotessarollo.com/ot/ot.binieinstal.exetrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.binieinstal.exe, 00000004.00000002.935179958.0000000003251000.00000040.00000001.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://aMDPVn.comRegAsm.exe, 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://cps.root-x1.letsencrypt.org0ieinstal.exe, 00000004.00000002.935370221.00000000036CE000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://mariotessarollo.com/%ieinstal.exe, 00000004.00000002.935357606.00000000036AE000.00000004.00000020.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      116.203.34.79
                      		sogecoenergy.comGermany
                      		24940HETZNER-ASDEfalse
                      185.81.0.109
                      		mariotessarollo.comItaly
                      		52030SERVERPLAN-ASITfalse
                      79.134.225.109
                      		unknownSwitzerland
                      		6775FINK-TELECOM-SERVICESCHfalse

                      General Information

                      Joe Sandbox Version:31.0.0 Emerald
                      Analysis ID:380091
                      Start date:01.04.2021
                      Start time:15:42:09
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 9m 48s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:dd.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:18
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.rans.troj.evad.winEXE@10/3@3/3
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 8.6% (good quality ratio 6.6%)
                      • Quality average: 46.7%
                      • Quality standard deviation: 28.2%
                      HCA Information:
                      • Successful, ratio: 92%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .exe
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                      • TCP Packets have been reduced to 100
                      • Excluded IPs from analysis (whitelisted): 13.88.21.125, 40.88.32.150, 104.43.193.48, 20.82.210.154, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247
                      • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      15:43:38AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologisk C:\Users\user\AppData\Local\Temp\Lageradministrationernes5\Hubey7.exe
                      15:43:46AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologisk C:\Users\user\AppData\Local\Temp\Lageradministrationernes5\Hubey7.exe
                      15:44:36AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes C:\Users\user\Afkodedes8\asparagussens.exe
                      15:44:42API Interceptor141x Sleep call for process: RegAsm.exe modified
                      15:44:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes C:\Users\user\Afkodedes8\asparagussens.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      79.134.225.109cW49B9lA9c4reHCwa7Be.exeGet hashmaliciousBrowse
                        PFA-ZeroLag.sfx.exeGet hashmaliciousBrowse
                          igfx.sfx.exeGet hashmaliciousBrowse
                            P.O List.exeGet hashmaliciousBrowse
                              P.O List.exeGet hashmaliciousBrowse
                                22Quotation Ref detail 00821928299.exeGet hashmaliciousBrowse

                                  Domains

                                  No context

                                  ASN

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  HETZNER-ASDEInvoice_23323_1266896570470_xls.xlsGet hashmaliciousBrowse
                                  • 195.201.199.53
                                  Sales_Receipt 8723_xls.xlsGet hashmaliciousBrowse
                                  • 195.201.199.53
                                  NR52.vbsGet hashmaliciousBrowse
                                  • 148.251.248.121
                                  xXeJaeHDWB.exeGet hashmaliciousBrowse
                                  • 116.203.98.109
                                  z3K7aKrxnY.dllGet hashmaliciousBrowse
                                  • 195.201.199.53
                                  eQUaXC2xcX.dllGet hashmaliciousBrowse
                                  • 195.201.199.53
                                  Xge8NNaMlp.dllGet hashmaliciousBrowse
                                  • 195.201.199.53
                                  S7Q7IHtI7P.dllGet hashmaliciousBrowse
                                  • 195.201.199.53
                                  Li6CdVD4Fk.dllGet hashmaliciousBrowse
                                  • 195.201.199.53
                                  P3oc9jifnU.dllGet hashmaliciousBrowse
                                  • 195.201.199.53
                                  lxMd2OQ9QZ.dllGet hashmaliciousBrowse
                                  • 195.201.199.53
                                  ajTb3RB2ou.dllGet hashmaliciousBrowse
                                  • 195.201.199.53
                                  3LA8Qgt0UO.dllGet hashmaliciousBrowse
                                  • 195.201.199.53
                                  X4uDihapth.dllGet hashmaliciousBrowse
                                  • 195.201.199.53
                                  HWWKFile.exeGet hashmaliciousBrowse
                                  • 88.99.66.31
                                  Sales_Receipt 5576.xlsGet hashmaliciousBrowse
                                  • 195.201.199.53
                                  Payment_Receipt 1726.xlsGet hashmaliciousBrowse
                                  • 195.201.199.53
                                  FileZilla_3.53.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                  • 49.12.121.47
                                  FileZilla_3.53.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                  • 49.12.121.47
                                  invoice.xlsGet hashmaliciousBrowse
                                  • 195.201.199.53
                                  SERVERPLAN-ASITATBDiek3u4.htmlGet hashmaliciousBrowse
                                  • 46.28.2.29
                                  Copy of Invoice 522967.xlsmGet hashmaliciousBrowse
                                  • 185.81.4.25
                                  Copy of Invoice 522967.xlsmGet hashmaliciousBrowse
                                  • 185.81.4.25
                                  Copy of Invoice 51682358.xlsmGet hashmaliciousBrowse
                                  • 185.81.2.128
                                  Doc.exeGet hashmaliciousBrowse
                                  • 185.81.4.203
                                  SecuriteInfo.com.VB.Heur.EmoDldr.32.A9BE9151.Gen.4945.xlsmGet hashmaliciousBrowse
                                  • 185.81.4.25
                                  Sign-1870635479_637332644.xlsGet hashmaliciousBrowse
                                  • 185.81.0.78
                                  SecuriteInfo.com.Exploit.Siggen3.10350.14349.xlsGet hashmaliciousBrowse
                                  • 185.81.0.78
                                  SecuriteInfo.com.Exploit.Siggen3.10350.13127.xlsGet hashmaliciousBrowse
                                  • 185.81.0.78
                                  SecuriteInfo.com.Exploit.Siggen3.10350.857.xlsGet hashmaliciousBrowse
                                  • 185.81.0.78
                                  SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsGet hashmaliciousBrowse
                                  • 185.81.0.78
                                  SecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                  • 185.81.0.78
                                  SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                  • 185.81.0.78
                                  SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                  • 185.81.0.78
                                  SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                  • 185.81.0.78
                                  SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                  • 185.81.0.78
                                  SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                  • 185.81.0.78
                                  SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                  • 185.81.0.78
                                  SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                  • 185.81.0.78
                                  SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                  • 185.81.0.78
                                  FINK-TELECOM-SERVICESCHIMG_110_63_078SWIFT.exeGet hashmaliciousBrowse
                                  • 79.134.225.7
                                  yQY73z6zaP.exeGet hashmaliciousBrowse
                                  • 79.134.225.25
                                  SOA6058.exeGet hashmaliciousBrowse
                                  • 79.134.225.79
                                  PO-290321 (Itakrom).pif.exeGet hashmaliciousBrowse
                                  • 79.134.225.7
                                  RFQ234.exeGet hashmaliciousBrowse
                                  • 79.134.225.124
                                  EUjk8F87b8.exeGet hashmaliciousBrowse
                                  • 79.134.225.82
                                  rgGyG2iLnd.exeGet hashmaliciousBrowse
                                  • 79.134.225.22
                                  SCN-PV21-00920 P NEW ORDER.exeGet hashmaliciousBrowse
                                  • 79.134.225.23
                                  jnHnxgMde8.exeGet hashmaliciousBrowse
                                  • 79.134.225.54
                                  913JAGoybO.exeGet hashmaliciousBrowse
                                  • 79.134.225.54
                                  PURCHASE ORDER EXPORT0022355048 SCAN DOC_PDF.exeGet hashmaliciousBrowse
                                  • 79.134.225.7
                                  pha_bank.docGet hashmaliciousBrowse
                                  • 79.134.225.22
                                  fiBtpVf4SM.exeGet hashmaliciousBrowse
                                  • 79.134.225.22
                                  jOogprTpcm.exeGet hashmaliciousBrowse
                                  • 79.134.225.22
                                  veeLG9SL41.exeGet hashmaliciousBrowse
                                  • 79.134.225.54
                                  b387fdad92f7db816e8827bcb9f233c7da006ffb1f897.exeGet hashmaliciousBrowse
                                  • 79.134.225.54
                                  Update of the OFFICE PACK.xlamGet hashmaliciousBrowse
                                  • 79.134.225.73
                                  Quotation Assurance.docGet hashmaliciousBrowse
                                  • 79.134.225.73
                                  Update of the OFFICE PACK.docGet hashmaliciousBrowse
                                  • 79.134.225.73
                                  DIGITAL_PAYMENT_Transmitter_Puvnmteqvrpmujdxrgnnwkadmmmglrtyvq.exeGet hashmaliciousBrowse
                                  • 79.134.225.23

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  37f463bf4616ecd445d4a1937da06e19Invoice_23323_1266896570470_xls.xlsGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  brett.moss SWIFT Copy 2021.htmGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  Tvoz_f.exeGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  NR52.vbsGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  AMPUTERE.exeGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  martin.connor SWIFT Copy 2021.htmGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  xXeJaeHDWB.exeGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  Purchase_Order 3109.xlsGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  Invoice_150.xlsmGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  FileZilla_3.53.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  #Ufffd.HTMLGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  FileZilla_3.53.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  SecuriteInfo.com.Mal.GandCrypt-A.4160.exeGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  1Nqs1iTfMz.exeGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  yPkfbflyoh.exeGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  SOC_0#7198, INV#512 Via GoogleDocs gracechung.htmlGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  lv.exeGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  8637.xlsxGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  YtR0OI1H6G.exeGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109
                                  ABS Browser.exeGet hashmaliciousBrowse
                                  • 116.203.34.79
                                  • 185.81.0.109

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\Afkodedes8\asparagussens.exe
                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):102400
                                  Entropy (8bit):5.4602601685745045
                                  Encrypted:false
                                  SSDEEP:1536:pQdT+pR4/Mj4EOqc++uyBE/Coq5jcZfP7I4fVRejKtZHyhjgyQfz/pa0AxWAECC8:pgWnc+zyBE/m5jcZH84heEprJa
                                  MD5:F22F008D6287349195ADEF8975497D1F
                                  SHA1:64B77588A6835FCBCBF1679F179360D8446DA766
                                  SHA-256:C6D5DDE1A7608F08848860E1C0EB75EB1C489200494E781476F05BC356A3F1CA
                                  SHA-512:46CE3DC5976A9DF50185CA0E233ECF4747BC7701E6C12C500280D52750712EF80290E90EFA98FFE56CA94D6EEBD64AB1371DF182E3DB9247411E07ED483CB5C1
                                  Malicious:false
                                  Reputation:low
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....X.................`...0...............p....@.........................................................................Di..(.......|...................................................................(... ....................................text...h_.......`.................. ..`.data........p.......p..............@....rsrc...|...........................@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Temp\Lageradministrationernes5\Hubey7.exe
                                  Process:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):102401
                                  Entropy (8bit):5.443600389721494
                                  Encrypted:false
                                  SSDEEP:1536:HYNgd2V1trE261H7R/F7ogTI+ri7KJWUv691OGPmahFGo6LcsoWFM1SR5MSY:HbEE2YHd6gU+SrJSY
                                  MD5:F889D14ADBCC95A93F54D24F4AF140BA
                                  SHA1:0F031A14CD1ECA0DDEEAD98C09CE1F453B27D0D5
                                  SHA-256:C991123689604F5A839C971EA532FC0FE0A0723E940DBB4FB6E92B29D699C9AA
                                  SHA-512:25CEDB4A8CA746129CBA4A10F5865E13CA654176E9F5271C080CE48AECE389B38F18EE901F095B613EE8303D74B6E04D6716930D64462016F6FD217E587D5C6D
                                  Malicious:false
                                  Reputation:low
                                  Preview: .Z......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....pX.................`...0...............p....@.................................N.......................................$g..(.......h...................................................................(... ....................................text...H].......`.................. ..`.data........p.......p..............@....rsrc...h...........................@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Temp\ota.exe
                                  Process:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):102400
                                  Entropy (8bit):5.4602601685745045
                                  Encrypted:false
                                  SSDEEP:1536:pQdT+pR4/Mj4EOqc++uyBE/Coq5jcZfP7I4fVRejKtZHyhjgyQfz/pa0AxWAECC8:pgWnc+zyBE/m5jcZH84heEprJa
                                  MD5:F22F008D6287349195ADEF8975497D1F
                                  SHA1:64B77588A6835FCBCBF1679F179360D8446DA766
                                  SHA-256:C6D5DDE1A7608F08848860E1C0EB75EB1C489200494E781476F05BC356A3F1CA
                                  SHA-512:46CE3DC5976A9DF50185CA0E233ECF4747BC7701E6C12C500280D52750712EF80290E90EFA98FFE56CA94D6EEBD64AB1371DF182E3DB9247411E07ED483CB5C1
                                  Malicious:true
                                  Reputation:low
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....X.................`...0...............p....@.........................................................................Di..(.......|...................................................................(... ....................................text...h_.......`.................. ..`.data........p.......p..............@....rsrc...|...........................@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):5.443636659306316
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.15%
                                  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:dd.exe
                                  File size:102400
                                  MD5:287073f3d2c3100ba375b7bf0db3b0d9
                                  SHA1:8e09353697169cd3caaf49a008d53ade63b25526
                                  SHA256:f32f7005937b4c94ff31996fde6a0843c05bfb47458ad29a15ddf3fb70c435d2
                                  SHA512:203387c3884c9a34c57df1fd0a386a1141670c2779db262ec3d912b16c99d36839d656072fe8081747b74aff3fbcf889d52feab999ec77c896848a5b8f8ee887
                                  SSDEEP:1536:4YNgd2V1trE261H7R/F7ogTI+ri7KJWUv691OGPmahFGo6LcsoWFM1SR5MS:4bEE2YHd6gU+SrJS
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....pX.................`...0...............p....@................

                                  File Icon

                                  Icon Hash:20047c7c70f0e004

                                  Static PE Info

                                  General

                                  Entrypoint:0x401594
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                  DLL Characteristics:
                                  Time Stamp:0x5870D214 [Sat Jan 7 11:33:40 2017 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:0a9ef7cc3833edd03402bcd316bbd785

                                  Entrypoint Preview

                                  Instruction
                                  push 00402D98h
                                  call 00007F8128F384F3h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  xor byte ptr [eax], al
                                  add byte ptr [eax], al
                                  cmp byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  in eax, 99h
                                  push eax
                                  add eax, dword ptr [esi-4Fh]
                                  in al, dx
                                  dec esi
                                  xchg dword ptr [esi], ebp
                                  fbstp [edx-54B24EEEh]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add dword ptr [eax], eax
                                  add byte ptr [eax], al
                                  and ebp, edi
                                  inc esi
                                  add byte ptr [eax], al
                                  or byte ptr [edi+00h], 0000002Fh
                                  add bl, al
                                  jns 00007F8128F38543h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add bh, bh
                                  int3
                                  xor dword ptr [eax], eax
                                  js 00007F8128F38524h
                                  mov esp, A40AC5DAh
                                  cmp eax, dword ptr [eax-52h]
                                  lahf
                                  xor ebx, dword ptr [esi+53CA450Eh]
                                  push ds
                                  mov ebx, 1EC5BB84h
                                  aaa
                                  dec ebp
                                  xchg byte ptr [ecx-2D8EBE89h], ch
                                  jnc 00007F8128F3853Ch
                                  dec edi
                                  lodsd
                                  xor ebx, dword ptr [ecx-48EE309Ah]
                                  or al, 00h
                                  stosb
                                  add byte ptr [eax-2Dh], ah
                                  xchg eax, ebx
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  inc ecx
                                  pop ss
                                  add byte ptr [eax], al
                                  dec esi
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  push cs
                                  add byte ptr [ebx+6Bh], dh
                                  popad
                                  popad
                                  outsb
                                  jnc 00007F8128F38567h
                                  insb
                                  jnc 00007F8128F3856Eh
                                  outsd
                                  jnc 00007F8128F38577h
                                  add byte ptr [41000901h], cl
                                  popad
                                  jne 00007F8128F38576h

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x167240x28.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x968.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                  IMAGE_DIRECTORY_ENTRY_IAT0x10000x1b0.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x15d480x16000False0.380715110085data5.84552175054IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .data0x170000x11b00x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                  .rsrc0x190000x9680x1000False0.177978515625data2.04406356685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_ICON0x198380x130data
                                  RT_ICON0x195500x2e8data
                                  RT_ICON0x194280x128GLS_BINARY_LSB_FIRST
                                  RT_GROUP_ICON0x193f80x30data
                                  RT_VERSION0x191500x2a8dataKyrgyzCyrillic

                                  Imports

                                  DLLImport
                                  MSVBVM60.DLL__vbaStrI2, _CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaExitProc, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaAryConstruct2, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, __vbaAryCopy, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                                  Version Infos

                                  DescriptionData
                                  Translation0x0440 0x04b0
                                  LegalCopyrightPOWbit
                                  InternalNameMandfolkene7
                                  FileVersion1.00
                                  CompanyNamePOWbit
                                  LegalTrademarksPOWbit
                                  CommentsPOWbit
                                  ProductNameO
                                  ProductVersion1.00
                                  OriginalFilenameMandfolkene7.exe

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  KyrgyzCyrillic

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Apr 1, 2021 15:43:41.920696020 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:41.991619110 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:41.992906094 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.009243965 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.077939034 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.081428051 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.081465960 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.081485033 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.081521034 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.081553936 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.156919956 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.225944996 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.230822086 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.245857954 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.325539112 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.325577974 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.325599909 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.325619936 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.325644016 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.325665951 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.325680971 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.325686932 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.325711012 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.325716019 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.325733900 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.325754881 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.325778961 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.325810909 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.394299984 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394325018 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394340992 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394361973 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394378901 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394393921 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394409895 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394424915 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394440889 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394458055 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394474030 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394486904 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.394493103 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394510031 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394526005 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394541979 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394556999 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394565105 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.394572020 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394598961 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394606113 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394612074 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.394619942 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.394691944 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463238955 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463279963 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463310003 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463335037 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463356018 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463361979 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463387012 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463397026 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463411093 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463413954 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463442087 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463443995 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463464975 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463468075 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463485003 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463500023 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463509083 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463529110 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463553905 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463572025 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463581085 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463603973 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463607073 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463632107 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463633060 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463655949 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463658094 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463674068 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463682890 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463694096 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463715076 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463723898 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463743925 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463756084 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463769913 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463787079 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463797092 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463807106 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463823080 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463835001 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463848114 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463856936 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463872910 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463900089 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463913918 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463932037 CEST44349745116.203.34.79192.168.2.4
                                  Apr 1, 2021 15:43:42.463944912 CEST49745443192.168.2.4116.203.34.79
                                  Apr 1, 2021 15:43:42.463960886 CEST44349745116.203.34.79192.168.2.4

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Apr 1, 2021 15:43:15.535963058 CEST5802853192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:15.581911087 CEST53580288.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:16.694917917 CEST5309753192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:16.753235102 CEST53530978.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:18.575983047 CEST4925753192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:18.621825933 CEST53492578.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:19.573478937 CEST6238953192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:19.620323896 CEST53623898.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:20.695627928 CEST4991053192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:20.741533995 CEST53499108.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:21.026272058 CEST5585453192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:21.073623896 CEST53558548.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:22.196043015 CEST6454953192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:22.250602961 CEST53645498.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:23.158515930 CEST6315353192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:23.204359055 CEST53631538.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:24.994379044 CEST5299153192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:25.043277025 CEST53529918.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:26.692487001 CEST5370053192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:26.752346039 CEST53537008.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:27.868361950 CEST5172653192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:27.914273977 CEST53517268.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:29.413628101 CEST5679453192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:29.461770058 CEST53567948.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:35.571326017 CEST5653453192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:35.621689081 CEST53565348.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:37.100397110 CEST5662753192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:37.156961918 CEST53566278.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:39.956054926 CEST5662153192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:40.008654118 CEST53566218.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:40.745585918 CEST6311653192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:40.791531086 CEST53631168.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:41.833261967 CEST6407853192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:41.901607037 CEST53640788.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:41.939317942 CEST6480153192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:41.986629963 CEST53648018.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:42.864022970 CEST6172153192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:42.909962893 CEST53617218.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:43.421148062 CEST5125553192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:43.511255980 CEST53512558.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:45.867594957 CEST6152253192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:45.913599968 CEST53615228.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:47.256077051 CEST5233753192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:47.303358078 CEST53523378.8.8.8192.168.2.4
                                  Apr 1, 2021 15:43:48.815706015 CEST5504653192.168.2.48.8.8.8
                                  Apr 1, 2021 15:43:48.861762047 CEST53550468.8.8.8192.168.2.4
                                  Apr 1, 2021 15:44:01.465003967 CEST4961253192.168.2.48.8.8.8
                                  Apr 1, 2021 15:44:01.548556089 CEST53496128.8.8.8192.168.2.4
                                  Apr 1, 2021 15:44:02.225209951 CEST4928553192.168.2.48.8.8.8
                                  Apr 1, 2021 15:44:02.367655993 CEST53492858.8.8.8192.168.2.4
                                  Apr 1, 2021 15:44:02.901695967 CEST5060153192.168.2.48.8.8.8
                                  Apr 1, 2021 15:44:02.960102081 CEST53506018.8.8.8192.168.2.4
                                  Apr 1, 2021 15:44:03.448379040 CEST6087553192.168.2.48.8.8.8
                                  Apr 1, 2021 15:44:03.503814936 CEST53608758.8.8.8192.168.2.4
                                  Apr 1, 2021 15:44:04.060703039 CEST5644853192.168.2.48.8.8.8
                                  Apr 1, 2021 15:44:04.117774963 CEST53564488.8.8.8192.168.2.4
                                  Apr 1, 2021 15:44:04.691134930 CEST5917253192.168.2.48.8.8.8
                                  Apr 1, 2021 15:44:04.737149954 CEST53591728.8.8.8192.168.2.4
                                  Apr 1, 2021 15:44:05.230901003 CEST6242053192.168.2.48.8.8.8
                                  Apr 1, 2021 15:44:05.289005995 CEST53624208.8.8.8192.168.2.4
                                  Apr 1, 2021 15:44:06.135133982 CEST6057953192.168.2.48.8.8.8
                                  Apr 1, 2021 15:44:06.192943096 CEST53605798.8.8.8192.168.2.4
                                  Apr 1, 2021 15:44:07.205127001 CEST5018353192.168.2.48.8.8.8
                                  Apr 1, 2021 15:44:07.262980938 CEST53501838.8.8.8192.168.2.4
                                  Apr 1, 2021 15:44:07.919828892 CEST6153153192.168.2.48.8.8.8
                                  Apr 1, 2021 15:44:07.968537092 CEST53615318.8.8.8192.168.2.4
                                  Apr 1, 2021 15:44:13.103957891 CEST4922853192.168.2.48.8.8.8
                                  Apr 1, 2021 15:44:13.174320936 CEST53492288.8.8.8192.168.2.4
                                  Apr 1, 2021 15:44:17.459073067 CEST5979453192.168.2.48.8.8.8
                                  Apr 1, 2021 15:44:17.517321110 CEST53597948.8.8.8192.168.2.4
                                  Apr 1, 2021 15:44:33.246081114 CEST5591653192.168.2.48.8.8.8
                                  Apr 1, 2021 15:44:33.300718069 CEST53559168.8.8.8192.168.2.4
                                  Apr 1, 2021 15:44:52.180541992 CEST5275253192.168.2.48.8.8.8
                                  Apr 1, 2021 15:44:52.235055923 CEST53527528.8.8.8192.168.2.4
                                  Apr 1, 2021 15:44:52.807077885 CEST6054253192.168.2.48.8.8.8
                                  Apr 1, 2021 15:44:52.867428064 CEST53605428.8.8.8192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Apr 1, 2021 15:43:41.833261967 CEST192.168.2.48.8.8.80xd98dStandard query (0)www.sogecoenergy.comA (IP address)IN (0x0001)
                                  Apr 1, 2021 15:43:43.421148062 CEST192.168.2.48.8.8.80x3070Standard query (0)mariotessarollo.comA (IP address)IN (0x0001)
                                  Apr 1, 2021 15:44:33.246081114 CEST192.168.2.48.8.8.80x2fcfStandard query (0)mariotessarollo.comA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Apr 1, 2021 15:43:41.901607037 CEST8.8.8.8192.168.2.40xd98dNo error (0)www.sogecoenergy.comsogecoenergy.comCNAME (Canonical name)IN (0x0001)
                                  Apr 1, 2021 15:43:41.901607037 CEST8.8.8.8192.168.2.40xd98dNo error (0)sogecoenergy.com116.203.34.79A (IP address)IN (0x0001)
                                  Apr 1, 2021 15:43:43.511255980 CEST8.8.8.8192.168.2.40x3070No error (0)mariotessarollo.com185.81.0.109A (IP address)IN (0x0001)
                                  Apr 1, 2021 15:44:33.300718069 CEST8.8.8.8192.168.2.40x2fcfNo error (0)mariotessarollo.com185.81.0.109A (IP address)IN (0x0001)

                                  HTTPS Packets

                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                  Apr 1, 2021 15:43:42.081465960 CEST116.203.34.79443192.168.2.449745CN=sogecoenergy.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Sat Feb 27 01:36:30 CET 2021 Wed Oct 07 21:21:40 CEST 2020Fri May 28 02:36:30 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                  CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                  Apr 1, 2021 15:43:43.642653942 CEST185.81.0.109443192.168.2.449748CN=mariotessarollo.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Sun Mar 21 16:24:48 CET 2021 Wed Oct 07 21:21:40 CEST 2020Sat Jun 19 17:24:48 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                  CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                  Apr 1, 2021 15:44:33.473458052 CEST185.81.0.109443192.168.2.449769CN=mariotessarollo.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Sun Mar 21 16:24:48 CET 2021 Wed Oct 07 21:21:40 CEST 2020Sat Jun 19 17:24:48 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                  CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                  Code Manipulations

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: dd.exe PID: 7144 Parent PID: 4116

                                  General

                                  Start time:15:42:56
                                  Start date:01/04/2021
                                  Path:C:\Users\user\Desktop\dd.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Desktop\dd.exe'
                                  Imagebase:0x400000
                                  File size:102400 bytes
                                  MD5 hash:287073F3D2C3100BA375B7BF0DB3B0D9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Visual Basic
                                  Reputation:low

                                  Analysis Process: ieinstal.exe PID: 6660 Parent PID: 7144

                                  General

                                  Start time:15:43:25
                                  Start date:01/04/2021
                                  Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Desktop\dd.exe'
                                  Imagebase:0xe90000
                                  File size:480256 bytes
                                  MD5 hash:DAD17AB737E680C47C8A44CBB95EE67E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate

                                  Analysis Process: ota.exe PID: 7132 Parent PID: 6660

                                  General

                                  Start time:15:43:42
                                  Start date:01/04/2021
                                  Path:C:\Users\user\AppData\Local\Temp\ota.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\AppData\Local\Temp\ota.exe'
                                  Imagebase:0x400000
                                  File size:102400 bytes
                                  MD5 hash:F22F008D6287349195ADEF8975497D1F
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Visual Basic
                                  Reputation:low

                                  Analysis Process: RegAsm.exe PID: 900 Parent PID: 7132

                                  General

                                  Start time:15:44:18
                                  Start date:01/04/2021
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\AppData\Local\Temp\ota.exe'
                                  Imagebase:0xaf0000
                                  File size:64616 bytes
                                  MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.964449011.000000001DAC1000.00000004.00000001.sdmp, Author: Joe Security
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 4744 Parent PID: 900

                                  General

                                  Start time:15:44:19
                                  Start date:01/04/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff724c50000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: asparagussens.exe PID: 6004 Parent PID: 3424

                                  General

                                  Start time:15:44:44
                                  Start date:01/04/2021
                                  Path:C:\Users\user\Afkodedes8\asparagussens.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Afkodedes8\asparagussens.exe'
                                  Imagebase:0x400000
                                  File size:102400 bytes
                                  MD5 hash:F22F008D6287349195ADEF8975497D1F
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Visual Basic
                                  Reputation:low

                                  Analysis Process: asparagussens.exe PID: 1496 Parent PID: 3424

                                  General

                                  Start time:15:44:52
                                  Start date:01/04/2021
                                  Path:C:\Users\user\Afkodedes8\asparagussens.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Afkodedes8\asparagussens.exe'
                                  Imagebase:0x400000
                                  File size:102400 bytes
                                  MD5 hash:F22F008D6287349195ADEF8975497D1F
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Visual Basic
                                  Reputation:low

                                  Disassembly

                                  Code Analysis

                                  Reset < >