Loading ...

Play interactive tourEdit tour

Analysis Report ota.exe

Overview

General Information

Sample Name:ota.exe
Analysis ID:380129
MD5:f22f008d6287349195adef8975497d1f
SHA1:64b77588a6835fcbcbf1679f179360d8446da766
SHA256:c6d5dde1a7608f08848860e1c0eb75eb1c489200494e781476f05bc356a3f1ca
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Potential malicious icon found
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • ota.exe (PID: 6320 cmdline: 'C:\Users\user\Desktop\ota.exe' MD5: F22F008D6287349195ADEF8975497D1F)
    • RegAsm.exe (PID: 7116 cmdline: 'C:\Users\user\Desktop\ota.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • asparagussens.exe (PID: 2880 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: F22F008D6287349195ADEF8975497D1F)
    • RegAsm.exe (PID: 6988 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • asparagussens.exe (PID: 5612 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: F22F008D6287349195ADEF8975497D1F)
    • RegAsm.exe (PID: 4252 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "MudCgXVglm1ecB", "URL: ": "https://GpRF9zq8AHV0FbxqM.net", "To: ": "Backup@fibertech.ae", "ByHost: ": "mail.fibertech.ae:587", "Password: ": "I9QH8OkRv4hR1ub", "From: ": "test@fibertech.ae"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.479697075.000000001D521000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000002.479697075.000000001D521000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000012.00000002.887485550.000000001D7B1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000012.00000002.887485550.000000001D7B1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: RegAsm.exe PID: 7116JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.185.29.233, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 6988, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49739

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/Avira URL Cloud: Label: malware
            Source: https://www.sogecoenergy.com/or/ag.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/or/ag.binAvira URL Cloud: Label: malware
            Found malware configurationShow sources
            Source: RegAsm.exe.6988.18.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "MudCgXVglm1ecB", "URL: ": "https://GpRF9zq8AHV0FbxqM.net", "To: ": "Backup@fibertech.ae", "ByHost: ": "mail.fibertech.ae:587", "Password: ": "I9QH8OkRv4hR1ub", "From: ": "test@fibertech.ae"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: mariotessarollo.comVirustotal: Detection: 9%Perma Link
            Source: ota.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.5:49715 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.5:49719 version: TLS 1.2

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://GpRF9zq8AHV0FbxqM.net
            Source: Joe Sandbox ViewASN Name: SERVERPLAN-ASIT SERVERPLAN-ASIT
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS traffic detected: queries for: mariotessarollo.com
            Source: RegAsm.exe, 0000000A.00000002.479697075.000000001D521000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.887485550.000000001D7B1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000012.00000002.887485550.000000001D7B1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000012.00000002.887485550.000000001D7B1000.00000004.00000001.sdmpString found in binary or memory: http://aMDPVn.com
            Source: RegAsm.exe, 00000012.00000002.888083450.000000001DB1A000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: RegAsm.exe, 00000012.00000002.888083450.000000001DB1A000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: RegAsm.exe, 00000012.00000002.888083450.000000001DB1A000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: RegAsm.exe, 00000012.00000002.888083450.000000001DB1A000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: RegAsm.exe, 00000012.00000002.888083450.000000001DB1A000.00000004.00000001.sdmpString found in binary or memory: http://fibertech.ae
            Source: RegAsm.exe, 00000012.00000002.888083450.000000001DB1A000.00000004.00000001.sdmpString found in binary or memory: http://mail.fibertech.ae
            Source: RegAsm.exe, 00000012.00000002.888083450.000000001DB1A000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
            Source: RegAsm.exe, 00000012.00000002.880810437.000000000110B000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/05
            Source: RegAsm.exe, 00000012.00000002.888083450.000000001DB1A000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: RegAsm.exe, 00000012.00000002.888187876.000000001DB3C000.00000004.00000001.sdmpString found in binary or memory: https://GpRF9zq8AHV0FbxqM.net
            Source: RegAsm.exe, 00000012.00000002.887485550.000000001D7B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
            Source: RegAsm.exe, 00000012.00000002.887485550.000000001D7B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
            Source: RegAsm.exe, 00000012.00000002.880649536.00000000010DB000.00000004.00000020.sdmpString found in binary or memory: https://mariotessarollo.com/
            Source: RegAsm.exe, RegAsm.exe, 00000012.00000002.880810437.000000000110B000.00000004.00000020.sdmpString found in binary or memory: https://mariotessarollo.com/or/ag.bin
            Source: RegAsm.exe, 0000000A.00000002.474657961.00000000009A1000.00000040.00000001.sdmp, RegAsm.exe, 00000012.00000002.878545800.0000000000D01000.00000040.00000001.sdmpString found in binary or memory: https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.bin
            Source: RegAsm.exeString found in binary or memory: https://www.sogecoenergy.com/or/ag.bin
            Source: RegAsm.exe, 0000000A.00000002.479697075.000000001D521000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.887485550.000000001D7B1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.5:49715 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.5:49719 version: TLS 1.2

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\ota.exeCode function: 0_2_02AA070C NtSetInformationThread,0_2_02AA070C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_009A60B2 NtProtectVirtualMemory,10_2_009A60B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_009A6032 NtProtectVirtualMemory,10_2_009A6032
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_009A6048 NtProtectVirtualMemory,10_2_009A6048
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_009A5DFF NtProtectVirtualMemory,10_2_009A5DFF
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 14_2_021D070C NtSetInformationThread,14_2_021D070C
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 14_2_021D2740 NtWriteVirtualMemory,14_2_021D2740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00D060B2 NtProtectVirtualMemory,18_2_00D060B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00D06048 NtProtectVirtualMemory,18_2_00D06048
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00D06032 NtProtectVirtualMemory,18_2_00D06032
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_00D05DFF NtProtectVirtualMemory,18_2_00D05DFF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00D6646B NtProtectVirtualMemory,20_2_00D6646B
            Source: C:\Users\user\Desktop\ota.exeCode function: 0_2_004015940_2_00401594
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1D3947A010_2_1D3947A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1D3946B010_2_1D3946B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_01032D5018_2_01032D50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0103A77018_2_0103A770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0103BFD018_2_0103BFD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_01031FE018_2_01031FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0103261818_2_01032618
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0103BF7018_2_0103BF70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0105795818_2_01057958
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0105F1D818_2_0105F1D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0105C46818_2_0105C468
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0105670818_2_01056708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_01050B2818_2_01050B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_010593C018_2_010593C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_1CB45CD418_2_1CB45CD4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_1CB4971718_2_1CB49717
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_1CB4489818_2_1CB44898
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_1CB4000618_2_1CB40006
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_1CB4004018_2_1CB40040
            Source: Joe Sandbox ViewDropped File: C:\Users\user\Afkodedes8\asparagussens.exe C6D5DDE1A7608F08848860E1C0EB75EB1C489200494E781476F05BC356A3F1CA
            Source: ota.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: asparagussens.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ota.exe, 00000000.00000002.326497897.0000000002160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs ota.exe
            Source: ota.exe, 00000000.00000000.228849050.0000000000419000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameELEKTROPLETS.exe vs ota.exe
            Source: ota.exe, 00000000.00000002.326926406.0000000002990000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameELEKTROPLETS.exeFE2XPOWbitPOWbit] vs ota.exe
            Source: ota.exe, 00000000.00000002.326926406.0000000002990000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameELEKTROPLETS.exeFE2XPOWbit2 vs ota.exe
            Source: ota.exe, 00000000.00000002.326926406.0000000002990000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameELEKTROPLETS.exeFE2XPOWbita vs ota.exe
            Source: ota.exe, 00000000.00000002.326926406.0000000002990000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameELEKTROPLETS.exeFE2XPOWbit vs ota.exe
            Source: ota.exe, 00000000.00000002.326926406.0000000002990000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameELEKTROPLETS.exeFE2XPOWbit~ vs ota.exe
            Source: ota.exe, 00000000.00000002.326926406.0000000002990000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameELEKTROPLETS.exeFE2XPOWbitK vs ota.exe
            Source: ota.exeBinary or memory string: OriginalFilenameELEKTROPLETS.exe vs ota.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: ota.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@12/3@6/2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\Afkodedes8Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_01
            Source: ota.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\ota.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\ota.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\ota.exe 'C:\Users\user\Desktop\ota.exe'
            Source: C:\Users\user\Desktop\ota.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\ota.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Afkodedes8\asparagussens.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
            Source: unknownProcess created: C:\Users\user\Afkodedes8\asparagussens.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\ota.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\ota.exe' Jump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe' Jump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7116, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6988, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4252, type: MEMORY
            Source: C:\Users\user\Desktop\ota.exeCode function: 0_2_02AA409F push edx; ret 0_2_02AA40A0
            Source: C:\Users\user\Desktop\ota.exeCode function: 0_2_02AA14C0 push ecx; ret 0_2_02AA14C1
            Source: C:\Users\user\Desktop\ota.exeCode function: 0_2_02AA2CD8 push ecx; ret 0_2_02AA2CD9
            Source: C:\Users\user\Desktop\ota.exeCode function: 0_2_02AA3E34 push eax; ret 0_2_02AA3E35
            Source: C:\Users\user\Desktop\ota.exeCode function: 0_2_02AA3C64 push ebx; ret 0_2_02AA3C65
            Source: C:\Users\user\Desktop\ota.exeCode function: 0_2_02AA33A7 push ss; ret 0_2_02AA33B5
            Source: C:\Users\user\Desktop\ota.exeCode function: 0_2_02AA03EC push eax; ret 0_2_02AA03ED
            Source: C:\Users\user\Desktop\ota.exeCode function: 0_2_02AA15E4 push ecx; ret 0_2_02AA15E5
            Source: C:\Users\user\Desktop\ota.exeCode function: 0_2_02AA312B push ebx; iretd 0_2_02AA312E
            Source: C:\Users\user\Desktop\ota.exeCode function: 0_2_02AA056C push eax; ret 0_2_02AA056D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_009A40B1 push ecx; ret 10_2_009A4080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_009A403E push ecx; ret 10_2_009A4080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_009A3F87 push ds; retf 10_2_009A3F9F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1D39D92E push ss; ret 10_2_1D39D930
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1D39D4A0 push ss; ret 10_2_1D39D585
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_1D39A191 push ss; ret 10_2_1D39A1BD
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 13_2_02BF0A8A push edi; ret 13_2_02BF0A8B
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 13_2_02BF03EC push eax; ret 13_2_02BF03ED
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 13_2_02BF409E push edx; ret 13_2_02BF40A0
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 13_2_02BF4099 pushad ; iretd 13_2_02BF409A
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 13_2_02BF1EAB push esi; iretd 13_2_02BF1EB2
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 13_2_02BF57FA push edi; ret 13_2_02BF57FB
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 13_2_02BF2CD8 push ecx; ret 13_2_02BF2CD9
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 13_2_02BF15E4 push ecx; ret 13_2_02BF15E5
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 13_2_02BF056C push eax; ret 13_2_02BF056D
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 14_2_021D3E19 push ebx; retf 14_2_021D3E1A
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 14_2_021D3E34 push eax; ret 14_2_021D3E35
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 14_2_021D3C64 push ebx; ret 14_2_021D3C65
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 14_2_021D409E push edx; ret 14_2_021D40A0
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 14_2_021D2CD8 push ecx; ret 14_2_021D2CD9
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 14_2_021D14C0 push ecx; ret 14_2_021D14C1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\Afkodedes8\asparagussens.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ota.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\ota.exeRDTSC instruction interceptor: First address: 0000000002AA2D2B second address: 0000000002AA2D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F7A687BD638h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007F7A687BD642h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F7A687BD606h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007F7A687BD67Ah 0x00000039 call 00007F7A687BD648h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
            Source: C:\Users\user\Desktop\ota.exeRDTSC instruction interceptor: First address: 0000000002AA2338 second address: 0000000002AA2338 instructions:
            Source: C:\Users\user\Desktop\ota.exeRDTSC instruction interceptor: First address: 0000000002AA25E9 second address: 0000000002AA25E9 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 00000000009A1765 second address: 00000000009A1765 instructions:
            Source: C:\Users\user\Afkodedes8\asparagussens.exeRDTSC instruction interceptor: First address: 0000000002BF2D2B second address: 0000000002BF2D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F7A687BD638h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007F7A687BD642h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F7A687BD606h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007F7A687BD67Ah 0x00000039 call 00007F7A687BD648h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
            Source: C:\Users\user\Afkodedes8\asparagussens.exeRDTSC instruction interceptor: First address: 0000000002BF2338 second address: 0000000002BF2338 instructions:
            Source: C:\Users\user\Afkodedes8\asparagussens.exeRDTSC instruction interceptor: First address: 0000000002BF25E9 second address: 0000000002BF25E9 instructions:
            Source: C:\Users\user\Afkodedes8\asparagussens.exeRDTSC instruction interceptor: First address: 00000000021D2D2B second address: 00000000021D2D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F7A68D47D28h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007F7A68D47D32h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F7A68D47CF6h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007F7A68D47D6Ah 0x00000039 call 00007F7A68D47D38h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
            Source: C:\Users\user\Afkodedes8\asparagussens.exeRDTSC instruction interceptor: First address: 00000000021D2338 second address: 00000000021D2338 instructions:
            Source: C:\Users\user\Afkodedes8\asparagussens.exeRDTSC instruction interceptor: First address: 00000000021D25E9 second address: 00000000021D25E9 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000D01765 second address: 0000000000D01765 instructions:
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\ota.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\ota.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe