Analysis Report ot.msi

Overview

General Information

Sample Name: ot.msi
Analysis ID: 380171
MD5: 946a444c46b1e672e4eb35725993e1de
SHA1: 12482793a22afbf1835887d0368ca0dc363f1ae7
SHA256: 40879e36f47835c7af7d4e54d844469e5a1f58fda44027a9005ca61bf33d4a6d
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.bin Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ot/ot.binen Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/= Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ot/ot.bini Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ot/ot.bin Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.bin Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ot/ot.binU Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ows Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ot/ot.binb Avira URL Cloud: Label: malware
Source: https://www.sogecoenergy.com/or/ag.bin Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/or/ag.bin Avira URL Cloud: Label: malware
Found malware configuration
Source: RegAsm.exe.4800.22.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "tshPv", "URL: ": "https://u28IS26ZRk5fJwhXK.org", "To: ": "Backup@fibertech.ae", "ByHost: ": "mail.fibertech.ae:587", "Password: ": "b7SbIQMcS0Agt", "From: ": "test@fibertech.ae"}
Source: unknown HTTPS traffic detected: 116.203.34.79:443 -> 192.168.2.3:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49790 version: TLS 1.2

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://u28IS26ZRk5fJwhXK.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49706 -> 79.134.225.109:6090
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 79.134.225.109 79.134.225.109
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown DNS traffic detected: queries for: www.sogecoenergy.com
Source: RegAsm.exe, 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp String found in binary or memory: http://aMDPVn.com
Source: ieinstal.exe, 00000004.00000002.1037038381.0000000000B7C000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: ieinstal.exe, 00000004.00000002.1037038381.0000000000B7C000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: ieinstal.exe, 00000004.00000002.1037038381.0000000000B7C000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: RegAsm.exe, 00000016.00000002.1047356210.000000001DD6D000.00000004.00000001.sdmp String found in binary or memory: http://fibertech.ae
Source: RegAsm.exe, 00000016.00000002.1047356210.000000001DD6D000.00000004.00000001.sdmp String found in binary or memory: http://mail.fibertech.ae
Source: RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/05
Source: ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.l
Source: ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: ieinstal.exe, 00000004.00000002.1045640426.000000001E54C000.00000004.00000001.sdmp String found in binary or memory: http://www.yandex.comsocks=http=
Source: RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%$
Source: RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp String found in binary or memory: https://mariotessarollo.com/
Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp String found in binary or memory: https://mariotessarollo.com/=
Source: RegAsm.exe String found in binary or memory: https://mariotessarollo.com/or/ag.bin
Source: RegAsm.exe, 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, RegAsm.exe, 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp String found in binary or memory: https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.bin
Source: ieinstal.exe String found in binary or memory: https://mariotessarollo.com/ot/ot.bin
Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp String found in binary or memory: https://mariotessarollo.com/ot/ot.binU
Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp String found in binary or memory: https://mariotessarollo.com/ot/ot.binb
Source: ieinstal.exe, 00000004.00000003.526336094.0000000000B42000.00000004.00000001.sdmp String found in binary or memory: https://mariotessarollo.com/ot/ot.binen
Source: ieinstal.exe, 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp String found in binary or memory: https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.bin
Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp String found in binary or memory: https://mariotessarollo.com/ot/ot.bini
Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp String found in binary or memory: https://mariotessarollo.com/ows
Source: RegAsm.exe, 00000016.00000002.1047417899.000000001DD90000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1047431438.000000001DD98000.00000004.00000001.sdmp String found in binary or memory: https://u28IS26ZRk5fJwhXK.org
Source: RegAsm.exe String found in binary or memory: https://www.sogecoenergy.com/or/ag.bin
Source: ieinstal.exe String found in binary or memory: https://www.sogecoenergy.com/ot/ot.bin
Source: ieinstal.exe String found in binary or memory: https://www.sogecoenergy.com/ota.bin
Source: RegAsm.exe, 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown HTTPS traffic detected: 116.203.34.79:443 -> 192.168.2.3:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49790 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: ota.exe, 0000000C.00000002.420901484.000000000066A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872AB2 Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LoadLibraryA, 4_2_00872AB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00875ADF LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk, 4_2_00875ADF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00871EEC TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00871EEC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872BC0 Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00872BC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872BDA LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00872BDA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00871F4B LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00871F4B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872CB4 LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk, 4_2_00872CB4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872CCC LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00872CCC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872003 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00872003
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872C13 LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00872C13
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872C33 LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00872C33
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872C60 LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00872C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872C7B LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00872C7B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00871D96 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00871D96
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872D04 NtProtectVirtualMemory,LdrInitializeThunk, 4_2_00872D04
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00875A8C LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00875A8C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00875A92 LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00875A92
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00871E9B TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00871E9B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872BA4 Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00872BA4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00871FA2 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00871FA2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872BBC LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00872BBC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00871FD3 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00871FD3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00871F07 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00871F07
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00871F2E TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00871F2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872B54 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00872B54
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872B58 Sleep,LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00872B58
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00871F7C TerminateThread,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00871F7C
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 12_2_0232070C NtSetInformationThread, 12_2_0232070C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_009460AF NtProtectVirtualMemory, 14_2_009460AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00946032 NtProtectVirtualMemory, 14_2_00946032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00946048 NtProtectVirtualMemory, 14_2_00946048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_0094646B NtProtectVirtualMemory, 14_2_0094646B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00945DFF NtProtectVirtualMemory, 14_2_00945DFF
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 19_2_0211070C NtSetInformationThread, 19_2_0211070C
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 20_2_020D070C NtSetInformationThread, 20_2_020D070C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00F060AF NtProtectVirtualMemory, 22_2_00F060AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00F0646B NtProtectVirtualMemory, 22_2_00F0646B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00F06048 NtProtectVirtualMemory, 22_2_00F06048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00F06032 NtProtectVirtualMemory, 22_2_00F06032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00F05DFF NtProtectVirtualMemory, 22_2_00F05DFF
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 12_2_00401594 12_2_00401594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_1D403CCC 14_2_1D403CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_1D405473 14_2_1D405473
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_1D4047A0 14_2_1D4047A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_1D403A44 14_2_1D403A44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_1D405490 14_2_1D405490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_1D404750 14_2_1D404750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_1D404773 14_2_1D404773
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_1D404730 14_2_1D404730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_1D404790 14_2_1D404790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_1D4046F0 14_2_1D4046F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_3_00E63843 22_3_00E63843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012B2D50 22_2_012B2D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012BA770 22_2_012BA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012B1FE0 22_2_012B1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012BBFD0 22_2_012BBFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012B2618 22_2_012B2618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012BBF70 22_2_012BBF70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012D7910 22_2_012D7910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012DF190 22_2_012DF190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012DC420 22_2_012DC420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012D0B28 22_2_012D0B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012D9378 22_2_012D9378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012D4FE0 22_2_012D4FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012D66C0 22_2_012D66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012DD516 22_2_012DD516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012DD1A6 22_2_012DD1A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012DC831 22_2_012DC831
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_012DD0A4 22_2_012DD0A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_013865F8 22_2_013865F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_01384490 22_2_01384490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_01385CD4 22_2_01385CD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_01389717 22_2_01389717
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_013839B0 22_2_013839B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_01380030 22_2_01380030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0138B850 22_2_0138B850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_01380040 22_2_01380040
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Afkodedes8\asparagussens.exe C6D5DDE1A7608F08848860E1C0EB75EB1C489200494E781476F05BC356A3F1CA
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\ota.exe C6D5DDE1A7608F08848860E1C0EB75EB1C489200494E781476F05BC356A3F1CA
PE file contains strange resources
Source: ota.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: asparagussens.exe.14.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: ot.msi Binary or memory string: OriginalFilenameMandfolkene7.exe vs ot.msi
Tries to load missing DLLs
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: classification engine Classification label: mal100.troj.spyw.evad.winMSI@19/5@6/4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Afkodedes8 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5008:120:WilError_01
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Mutant created: \Sessions\1\BaseNamedObjects\nxADcmgE
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1036:120:WilError_01
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File created: C:\Users\user\AppData\Local\Temp\Lageradministrationernes5 Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: ot.msi Static file information: TRID: Microsoft Windows Installer (77509/1) 90.64%
Source: unknown Process created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\ot.msi'
Source: unknown Process created: C:\Windows\Installer\MSI7397.tmp C:\Windows\Installer\MSI7397.tmp
Source: C:\Windows\Installer\MSI7397.tmp Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\Installer\MSI7397.tmp
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Afkodedes8\asparagussens.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
Source: unknown Process created: C:\Users\user\Afkodedes8\asparagussens.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Installer\MSI7397.tmp Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\Installer\MSI7397.tmp Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe' Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe' Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe' Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe' Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4800, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1048, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00874B2C LoadLibraryA,GetProcAddress, 4_2_00874B2C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 12_2_02322412 push 95CFAB99h; iretd 12_2_023225E2
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 12_2_0232409F push edx; ret 12_2_023240A0
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 12_2_02322CD8 push ecx; ret 12_2_02322CD9
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 12_2_023214C0 push ecx; ret 12_2_023214C1
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 12_2_0232056C push eax; ret 12_2_0232056D
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 12_2_02323392 push ss; ret 12_2_023233B5
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 12_2_023215E4 push ecx; ret 12_2_023215E5
Source: C:\Users\user\AppData\Local\Temp\ota.exe Code function: 12_2_023203EC push eax; ret 12_2_023203ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_009440B1 push ecx; ret 14_2_00944080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_0094403E push ecx; ret 14_2_00944080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00943F87 push ds; retf 14_2_00943F9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_1D40C550 push ds; ret 14_2_1D40C583
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 19_2_0211409F push edx; ret 19_2_021140A0
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 19_2_02112CD8 push ecx; ret 19_2_02112CD9
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 19_2_021114C0 push ecx; ret 19_2_021114C1
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 19_2_02113392 push ss; ret 19_2_021133B5
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 19_2_021115A3 push ecx; ret 19_2_021115E5
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 19_2_021115E6 push ecx; ret 19_2_021115E5
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 20_2_020D3E34 push eax; ret 20_2_020D3E35
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 20_2_020D3C64 push ebx; ret 20_2_020D3C65
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 20_2_020D409E push edx; ret 20_2_020D40A0
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 20_2_020D14C0 push ecx; ret 20_2_020D14C1
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 20_2_020D2CD8 push ecx; ret 20_2_020D2CD9
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 20_2_020D1D4F pushfd ; ret 20_2_020D1D59
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 20_2_020D056C push eax; ret 20_2_020D056D
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 20_2_020D03EC push eax; ret 20_2_020D03ED
Source: C:\Users\user\Afkodedes8\asparagussens.exe Code function: 20_2_020D15E4 push ecx; ret 20_2_020D15E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_3_00E70801 pushfd ; ret 22_3_00E70802
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00F040B1 push ecx; ret 22_2_00F04080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00F0403E push ecx; ret 22_2_00F04080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00F03F87 push ds; retf 22_2_00F03F9F

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File created: C:\Users\user\AppData\Local\Temp\ota.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Afkodedes8\asparagussens.exe Jump to dropped file

Boot Survival:

barindex
Creates multiple autostart registry keys
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologisk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologisk Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologisk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\msiexec.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Windows\Installer\MSI7397.tmp RDTSC instruction interceptor: First address: 000000000058124D second address: 000000000058124D instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B18438h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test ebx, ecx 0x0000001f pop ecx 0x00000020 test ah, dh 0x00000022 add edi, edx 0x00000024 dec ecx 0x00000025 jmp 00007FD8F0B18442h 0x00000027 cmp dl, dl 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007FD8F0B18409h 0x0000002e cmp ecx, ebx 0x00000030 push ecx 0x00000031 call 00007FD8F0B18475h 0x00000036 call 00007FD8F0B18448h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc
Source: C:\Windows\Installer\MSI7397.tmp RDTSC instruction interceptor: First address: 00000000005805B3 second address: 00000000005805B3 instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 0000000000871545 second address: 0000000000871545 instructions:
Source: C:\Users\user\AppData\Local\Temp\ota.exe RDTSC instruction interceptor: First address: 0000000002322D2B second address: 0000000002322D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B430B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FD8F0B430C2h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD8F0B43086h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007FD8F0B430FAh 0x00000039 call 00007FD8F0B430C8h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\AppData\Local\Temp\ota.exe RDTSC instruction interceptor: First address: 0000000002322338 second address: 0000000002322338 instructions:
Source: C:\Users\user\AppData\Local\Temp\ota.exe RDTSC instruction interceptor: First address: 00000000023225E9 second address: 00000000023225E9 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000941765 second address: 0000000000941765 instructions:
Source: C:\Users\user\Afkodedes8\asparagussens.exe RDTSC instruction interceptor: First address: 0000000002112D2B second address: 0000000002112D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B430B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FD8F0B430C2h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD8F0B43086h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007FD8F0B430FAh 0x00000039 call 00007FD8F0B430C8h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\Afkodedes8\asparagussens.exe RDTSC instruction interceptor: First address: 0000000002112338 second address: 0000000002112338 instructions:
Source: C:\Users\user\Afkodedes8\asparagussens.exe RDTSC instruction interceptor: First address: 00000000021125E9 second address: 00000000021125E9 instructions:
Source: C:\Users\user\Afkodedes8\asparagussens.exe RDTSC instruction interceptor: First address: 00000000020D2D2B second address: 00000000020D2D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B43208h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FD8F0B43212h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD8F0B431D6h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007FD8F0B4324Ah 0x00000039 call 00007FD8F0B43218h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\Afkodedes8\asparagussens.exe RDTSC instruction interceptor: First address: 00000000020D2338 second address: 00000000020D2338 instructions:
Source: C:\Users\user\Afkodedes8\asparagussens.exe RDTSC instruction interceptor: First address: 00000000020D25E9 second address: 00000000020D25E9 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000F01765 second address: 0000000000F01765 instructions:
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect Any.run
Source: C:\Windows\Installer\MSI7397.tmp File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ota.exe, 0000000C.00000002.420913777.0000000000681000.00000004.00000020.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE"R
Source: RegAsm.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Installer\MSI7397.tmp RDTSC instruction interceptor: First address: 000000000058124D second address: 000000000058124D instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B18438h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test ebx, ecx 0x0000001f pop ecx 0x00000020 test ah, dh 0x00000022 add edi, edx 0x00000024 dec ecx 0x00000025 jmp 00007FD8F0B18442h 0x00000027 cmp dl, dl 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007FD8F0B18409h 0x0000002e cmp ecx, ebx 0x00000030 push ecx 0x00000031 call 00007FD8F0B18475h 0x00000036 call 00007FD8F0B18448h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc
Source: C:\Windows\Installer\MSI7397.tmp RDTSC instruction interceptor: First address: 00000000005813D8 second address: 00000000005813D8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FD8F0B470D7h 0x0000001d popad 0x0000001e call 00007FD8F0B430BDh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Installer\MSI7397.tmp RDTSC instruction interceptor: First address: 00000000005805B3 second address: 00000000005805B3 instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 00000000008713D8 second address: 00000000008713D8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FD8F0B470D7h 0x0000001d popad 0x0000001e call 00007FD8F0B430BDh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 0000000000871545 second address: 0000000000871545 instructions:
Source: C:\Users\user\AppData\Local\Temp\ota.exe RDTSC instruction interceptor: First address: 0000000002322D2B second address: 0000000002322D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B430B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FD8F0B430C2h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD8F0B43086h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007FD8F0B430FAh 0x00000039 call 00007FD8F0B430C8h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\AppData\Local\Temp\ota.exe RDTSC instruction interceptor: First address: 0000000002322F18 second address: 0000000002322F18 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FD8F0B458E3h 0x0000001d popad 0x0000001e call 00007FD8F0B43259h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ota.exe RDTSC instruction interceptor: First address: 0000000002322338 second address: 0000000002322338 instructions:
Source: C:\Users\user\AppData\Local\Temp\ota.exe RDTSC instruction interceptor: First address: 00000000023225E9 second address: 00000000023225E9 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000942F18 second address: 0000000000942F18 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FD8F0B45793h 0x0000001d popad 0x0000001e call 00007FD8F0B43109h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000941765 second address: 0000000000941765 instructions:
Source: C:\Users\user\Afkodedes8\asparagussens.exe RDTSC instruction interceptor: First address: 0000000002112D2B second address: 0000000002112D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B430B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FD8F0B430C2h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD8F0B43086h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007FD8F0B430FAh 0x00000039 call 00007FD8F0B430C8h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\Afkodedes8\asparagussens.exe RDTSC instruction interceptor: First address: 0000000002112F18 second address: 0000000002112F18 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FD8F0B458E3h 0x0000001d popad 0x0000001e call 00007FD8F0B43259h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Afkodedes8\asparagussens.exe RDTSC instruction interceptor: First address: 0000000002112338 second address: 0000000002112338 instructions:
Source: C:\Users\user\Afkodedes8\asparagussens.exe RDTSC instruction interceptor: First address: 00000000021125E9 second address: 00000000021125E9 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000F02F18 second address: 0000000000F02F18 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FD8F0B45793h 0x0000001d popad 0x0000001e call 00007FD8F0B43109h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Afkodedes8\asparagussens.exe RDTSC instruction interceptor: First address: 00000000020D2D2B second address: 00000000020D2D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B43208h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FD8F0B43212h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD8F0B431D6h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007FD8F0B4324Ah 0x00000039 call 00007FD8F0B43218h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\Afkodedes8\asparagussens.exe RDTSC instruction interceptor: First address: 00000000020D2F18 second address: 00000000020D2F18 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FD8F0B45793h 0x0000001d popad 0x0000001e call 00007FD8F0B43109h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Afkodedes8\asparagussens.exe RDTSC instruction interceptor: First address: 00000000020D2338 second address: 00000000020D2338 instructions:
Source: C:\Users\user\Afkodedes8\asparagussens.exe RDTSC instruction interceptor: First address: 00000000020D25E9 second address: 00000000020D25E9 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000F01765 second address: 0000000000F01765 instructions:
Contains capabilities to detect virtual machines
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00871EEC rdtsc 4_2_00871EEC
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Window / User API: threadDelayed 9587 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 8730 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 1097 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 586 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 9200 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe API coverage: 9.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 3396 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 1240 Thread sleep count: 9587 > 30 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 1240 Thread sleep time: -47935s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3008 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5900 Thread sleep time: -21213755684765971s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3776 Thread sleep count: 586 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3776 Thread sleep count: 9200 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5900 Thread sleep count: 48 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread sleep count: Count: 9587 delay: -5 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread delayed: delay time: 75000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: ota.exe, 0000000C.00000002.420913777.0000000000681000.00000004.00000020.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe"R
Source: RegAsm.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Windows\Installer\MSI7397.tmp Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00871EEC rdtsc 4_2_00871EEC
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00872CC4 LdrInitializeThunk, 4_2_00872CC4
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00874B2C LoadLibraryA,GetProcAddress, 4_2_00874B2C
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_008729D9 mov eax, dword ptr fs:[00000030h] 4_2_008729D9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00874658 mov eax, dword ptr fs:[00000030h] 4_2_00874658
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00874668 mov eax, dword ptr fs:[00000030h] 4_2_00874668
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00874707 mov eax, dword ptr fs:[00000030h] 4_2_00874707
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00874F70 mov eax, dword ptr fs:[00000030h] 4_2_00874F70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00874F79 mov eax, dword ptr fs:[00000030h] 4_2_00874F79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_009450B5 mov eax, dword ptr fs:[00000030h] 14_2_009450B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_009448DC mov eax, dword ptr fs:[00000030h] 14_2_009448DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00945BCB mov eax, dword ptr fs:[00000030h] 14_2_00945BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00945B66 mov eax, dword ptr fs:[00000030h] 14_2_00945B66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00F048DC mov eax, dword ptr fs:[00000030h] 22_2_00F048DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00F050B5 mov eax, dword ptr fs:[00000030h] 22_2_00F050B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00F05BCB mov eax, dword ptr fs:[00000030h] 22_2_00F05BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00F05B66 mov eax, dword ptr fs:[00000030h] 22_2_00F05B66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_00B050B5 mov eax, dword ptr fs:[00000030h] 26_2_00B050B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_00B048E7 mov eax, dword ptr fs:[00000030h] 26_2_00B048E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_00B048DC mov eax, dword ptr fs:[00000030h] 26_2_00B048DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_00B01DA6 mov eax, dword ptr fs:[00000030h] 26_2_00B01DA6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_00B01DC0 mov eax, dword ptr fs:[00000030h] 26_2_00B01DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_00B02BB2 mov eax, dword ptr fs:[00000030h] 26_2_00B02BB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_00B05BCB mov eax, dword ptr fs:[00000030h] 26_2_00B05BCB
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00871F4B LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_00871F4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\ota.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 940000 Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F00000 Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\Installer\MSI7397.tmp Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\Installer\MSI7397.tmp Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe' Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe' Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe' Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe' Jump to behavior
Source: ieinstal.exe, 00000004.00000002.1038981768.00000000032A0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.1039885229.0000000001770000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: ieinstal.exe, 00000004.00000002.1038981768.00000000032A0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.1039885229.0000000001770000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 00000004.00000002.1038981768.00000000032A0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.1039885229.0000000001770000.00000002.00000001.sdmp Binary or memory string: Progman
Source: ieinstal.exe, 00000004.00000002.1038981768.00000000032A0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.1039885229.0000000001770000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_00874CD2 cpuid 4_2_00874CD2
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4800, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1048, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4800, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1048, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4800, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1048, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 380171 Sample: ot.msi Startdate: 01/04/2021 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Antivirus detection for URL or domain 2->61 63 Sigma detected: RegAsm connects to smtp port 2->63 65 6 other signatures 2->65 9 MSI7397.tmp 1 2->9         started        12 asparagussens.exe 1 2->12         started        14 asparagussens.exe 2->14         started        16 msiexec.exe 2 2->16         started        process3 signatures4 89 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 9->89 91 Tries to detect Any.run 9->91 93 Tries to detect virtualization through RDTSC time measurements 9->93 18 ieinstal.exe 1 11 9->18         started        95 Writes to foreign memory regions 12->95 97 Hides threads from debuggers 12->97 23 RegAsm.exe 14 12->23         started        25 RegAsm.exe 12->25         started        27 RegAsm.exe 14->27         started        process5 dnsIp6 47 mariotessarollo.com 185.81.0.109, 443, 49705, 49743 SERVERPLAN-ASIT Italy 18->47 49 sogecoenergy.com 116.203.34.79, 443, 49704 HETZNER-ASDE Germany 18->49 55 2 other IPs or domains 18->55 43 C:\Users\user\AppData\Local\Temp\ota.exe, PE32 18->43 dropped 67 Creates multiple autostart registry keys 18->67 69 Tries to detect Any.run 18->69 71 Hides threads from debuggers 18->71 29 ota.exe 1 18->29         started        51 fibertech.ae 192.185.29.233, 49855, 49859, 587 UNIFIEDLAYER-AS-1US United States 23->51 53 mail.fibertech.ae 23->53 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->73 75 Tries to steal Mail credentials (via file access) 23->75 77 Tries to harvest and steal ftp login credentials 23->77 79 Tries to harvest and steal browser information (history, passwords, etc) 23->79 32 conhost.exe 23->32         started        34 conhost.exe 27->34         started        file7 signatures8 process9 signatures10 99 Writes to foreign memory regions 29->99 101 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 29->101 103 Tries to detect Any.run 29->103 105 2 other signatures 29->105 36 RegAsm.exe 3 11 29->36         started        process11 dnsIp12 57 mariotessarollo.com 36->57 45 C:\Users\user\Afkodedes8\asparagussens.exe, PE32 36->45 dropped 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 36->81 83 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 36->83 85 Creates multiple autostart registry keys 36->85 87 4 other signatures 36->87 41 conhost.exe 36->41         started        file13 signatures14 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
116.203.34.79
 sogecoenergy.com Germany
24940 HETZNER-ASDE false
185.81.0.109
 mariotessarollo.com Italy
52030 SERVERPLAN-ASIT false
79.134.225.109
 unknown Switzerland
6775 FINK-TELECOM-SERVICESCH false
192.185.29.233
 fibertech.ae United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
sogecoenergy.com 116.203.34.79 true
fibertech.ae 192.185.29.233 true
mariotessarollo.com 185.81.0.109 true
www.sogecoenergy.com unknown unknown
mail.fibertech.ae unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://u28IS26ZRk5fJwhXK.org true
  • Avira URL Cloud: safe
 unknown