Loading ...

Play interactive tourEdit tour

Analysis Report ot.msi

Overview

General Information

Sample Name:ot.msi
Analysis ID:380171
MD5:946a444c46b1e672e4eb35725993e1de
SHA1:12482793a22afbf1835887d0368ca0dc363f1ae7
SHA256:40879e36f47835c7af7d4e54d844469e5a1f58fda44027a9005ca61bf33d4a6d
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • msiexec.exe (PID: 3360 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\ot.msi' MD5: 4767B71A318E201188A0D0A420C8B608)
  • MSI7397.tmp (PID: 4792 cmdline: C:\Windows\Installer\MSI7397.tmp MD5: 287073F3D2C3100BA375B7BF0DB3B0D9)
    • ieinstal.exe (PID: 4232 cmdline: C:\Windows\Installer\MSI7397.tmp MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • ota.exe (PID: 4900 cmdline: 'C:\Users\user\AppData\Local\Temp\ota.exe' MD5: F22F008D6287349195ADEF8975497D1F)
        • RegAsm.exe (PID: 1048 cmdline: 'C:\Users\user\AppData\Local\Temp\ota.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
          • conhost.exe (PID: 5404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • asparagussens.exe (PID: 484 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: F22F008D6287349195ADEF8975497D1F)
    • RegAsm.exe (PID: 4784 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 4800 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 1036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • asparagussens.exe (PID: 1180 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: F22F008D6287349195ADEF8975497D1F)
    • RegAsm.exe (PID: 5612 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 5008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "tshPv", "URL: ": "https://u28IS26ZRk5fJwhXK.org", "To: ": "Backup@fibertech.ae", "ByHost: ": "mail.fibertech.ae:587", "Password: ": "b7SbIQMcS0Agt", "From: ": "test@fibertech.ae"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: RegAsm.exe PID: 4800JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.185.29.233, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 4800, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49855

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/ot/ot.binenAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/=Avira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/ot/ot.biniAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/ot/ot.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/ot/ot.binUAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/Avira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/owsAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/ot/ot.binbAvira URL Cloud: Label: malware
            Source: https://www.sogecoenergy.com/or/ag.binAvira URL Cloud: Label: malware
            Source: https://mariotessarollo.com/or/ag.binAvira URL Cloud: Label: malware
            Found malware configurationShow sources
            Source: RegAsm.exe.4800.22.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "tshPv", "URL: ": "https://u28IS26ZRk5fJwhXK.org", "To: ": "Backup@fibertech.ae", "ByHost: ": "mail.fibertech.ae:587", "Password: ": "b7SbIQMcS0Agt", "From: ": "test@fibertech.ae"}
            Source: unknownHTTPS traffic detected: 116.203.34.79:443 -> 192.168.2.3:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49790 version: TLS 1.2
            Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: c:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://u28IS26ZRk5fJwhXK.org
            Source: global trafficTCP traffic: 192.168.2.3:49706 -> 79.134.225.109:6090
            Source: Joe Sandbox ViewIP Address: 79.134.225.109 79.134.225.109
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
            Source: unknownDNS traffic detected: queries for: www.sogecoenergy.com
            Source: RegAsm.exe, 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmpString found in binary or memory: http://aMDPVn.com
            Source: ieinstal.exe, 00000004.00000002.1037038381.0000000000B7C000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: ieinstal.exe, 00000004.00000002.1037038381.0000000000B7C000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: ieinstal.exe, 00000004.00000002.1037038381.0000000000B7C000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: RegAsm.exe, 00000016.00000002.1047356210.000000001DD6D000.00000004.00000001.sdmpString found in binary or memory: http://fibertech.ae
            Source: RegAsm.exe, 00000016.00000002.1047356210.000000001DD6D000.00000004.00000001.sdmpString found in binary or memory: http://mail.fibertech.ae
            Source: RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
            Source: ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/05
            Source: ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.l
            Source: ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: ieinstal.exe, 00000004.00000002.1045640426.000000001E54C000.00000004.00000001.sdmpString found in binary or memory: http://www.yandex.comsocks=http=
            Source: RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
            Source: RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
            Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmpString found in binary or memory: https://mariotessarollo.com/
            Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmpString found in binary or memory: https://mariotessarollo.com/=
            Source: RegAsm.exeString found in binary or memory: https://mariotessarollo.com/or/ag.bin
            Source: RegAsm.exe, 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, RegAsm.exe, 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmpString found in binary or memory: https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.bin
            Source: ieinstal.exeString found in binary or memory: https://mariotessarollo.com/ot/ot.bin
            Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmpString found in binary or memory: https://mariotessarollo.com/ot/ot.binU
            Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmpString found in binary or memory: https://mariotessarollo.com/ot/ot.binb
            Source: ieinstal.exe, 00000004.00000003.526336094.0000000000B42000.00000004.00000001.sdmpString found in binary or memory: https://mariotessarollo.com/ot/ot.binen
            Source: ieinstal.exe, 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmpString found in binary or memory: https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.bin
            Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmpString found in binary or memory: https://mariotessarollo.com/ot/ot.bini
            Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmpString found in binary or memory: https://mariotessarollo.com/ows
            Source: RegAsm.exe, 00000016.00000002.1047417899.000000001DD90000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1047431438.000000001DD98000.00000004.00000001.sdmpString found in binary or memory: https://u28IS26ZRk5fJwhXK.org
            Source: RegAsm.exeString found in binary or memory: https://www.sogecoenergy.com/or/ag.bin
            Source: ieinstal.exeString found in binary or memory: https://www.sogecoenergy.com/ot/ot.bin
            Source: ieinstal.exeString found in binary or memory: https://www.sogecoenergy.com/ota.bin
            Source: RegAsm.exe, 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
            Source: unknownHTTPS traffic detected: 116.203.34.79:443 -> 192.168.2.3:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49790 version: TLS 1.2
            Source: ota.exe, 0000000C.00000002.420901484.000000000066A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess Stats: CPU usage > 98%
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00872AB2 Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LoadLibraryA,4_2_00872AB2
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00875ADF LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,4_2_00875ADF
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00871EEC TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00871EEC
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00872BC0 Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00872BC0
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00872BDA LdrInitializeThunk,NtProtectVirtualMemory,4_2_00872BDA
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00871F4B LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00871F4B
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00872CB4 LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,4_2_00872CB4
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00872CCC LdrInitializeThunk,NtProtectVirtualMemory,4_2_00872CCC
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00872003 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00872003
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00872C13 LdrInitializeThunk,NtProtectVirtualMemory,4_2_00872C13
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00872C33 LdrInitializeThunk,NtProtectVirtualMemory,4_2_00872C33
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00872C60 LdrInitializeThunk,NtProtectVirtualMemory,4_2_00872C60
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00872C7B LdrInitializeThunk,NtProtectVirtualMemory,4_2_00872C7B
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00871D96 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00871D96
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00872D04 NtProtectVirtualMemory,LdrInitializeThunk,4_2_00872D04
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00875A8C LdrInitializeThunk,NtProtectVirtualMemory,4_2_00875A8C
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00875A92 LdrInitializeThunk,NtProtectVirtualMemory,4_2_00875A92
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00871E9B TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00871E9B
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00872BA4 Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00872BA4
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00871FA2 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00871FA2
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00872BBC LdrInitializeThunk,NtProtectVirtualMemory,4_2_00872BBC
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00871FD3 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00871FD3
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00871F07 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00871F07
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00871F2E TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00871F2E
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00872B54 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00872B54
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00872B58 Sleep,LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00872B58
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00871F7C TerminateThread,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,4_2_00871F7C
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 12_2_0232070C NtSetInformationThread,12_2_0232070C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_009460AF NtProtectVirtualMemory,14_2_009460AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00946032 NtProtectVirtualMemory,14_2_00946032
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00946048 NtProtectVirtualMemory,14_2_00946048
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0094646B NtProtectVirtualMemory,14_2_0094646B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00945DFF NtProtectVirtualMemory,14_2_00945DFF
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 19_2_0211070C NtSetInformationThread,19_2_0211070C
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 20_2_020D070C NtSetInformationThread,20_2_020D070C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_00F060AF NtProtectVirtualMemory,22_2_00F060AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_00F0646B NtProtectVirtualMemory,22_2_00F0646B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_00F06048 NtProtectVirtualMemory,22_2_00F06048
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_00F06032 NtProtectVirtualMemory,22_2_00F06032
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_00F05DFF NtProtectVirtualMemory,22_2_00F05DFF
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 12_2_0040159412_2_00401594
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_1D403CCC14_2_1D403CCC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_1D40547314_2_1D405473
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_1D4047A014_2_1D4047A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_1D403A4414_2_1D403A44
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_1D40549014_2_1D405490
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_1D40475014_2_1D404750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_1D40477314_2_1D404773
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_1D40473014_2_1D404730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_1D40479014_2_1D404790
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_1D4046F014_2_1D4046F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_3_00E6384322_3_00E63843
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012B2D5022_2_012B2D50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012BA77022_2_012BA770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012B1FE022_2_012B1FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012BBFD022_2_012BBFD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012B261822_2_012B2618
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012BBF7022_2_012BBF70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012D791022_2_012D7910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012DF19022_2_012DF190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012DC42022_2_012DC420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012D0B2822_2_012D0B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012D937822_2_012D9378
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012D4FE022_2_012D4FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012D66C022_2_012D66C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012DD51622_2_012DD516
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012DD1A622_2_012DD1A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012DC83122_2_012DC831
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_012DD0A422_2_012DD0A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_013865F822_2_013865F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_0138449022_2_01384490
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_01385CD422_2_01385CD4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_0138971722_2_01389717
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_013839B022_2_013839B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_0138003022_2_01380030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_0138B85022_2_0138B850
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_0138004022_2_01380040
            Source: Joe Sandbox ViewDropped File: C:\Users\user\Afkodedes8\asparagussens.exe C6D5DDE1A7608F08848860E1C0EB75EB1C489200494E781476F05BC356A3F1CA
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\ota.exe C6D5DDE1A7608F08848860E1C0EB75EB1C489200494E781476F05BC356A3F1CA
            Source: ota.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: asparagussens.exe.14.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ot.msiBinary or memory string: OriginalFilenameMandfolkene7.exe vs ot.msi
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: classification engineClassification label: mal100.troj.spyw.evad.winMSI@19/5@6/4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\Afkodedes8Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5008:120:WilError_01
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\nxADcmgE
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1036:120:WilError_01
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Local\Temp\Lageradministrationernes5Jump to behavior
            Source: C:\Windows\Installer\MSI7397.tmpSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ota.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: ot.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 90.64%
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\ot.msi'
            Source: unknownProcess created: C:\Windows\Installer\MSI7397.tmp C:\Windows\Installer\MSI7397.tmp
            Source: C:\Windows\Installer\MSI7397.tmpProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\Installer\MSI7397.tmp
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Afkodedes8\asparagussens.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
            Source: unknownProcess created: C:\Users\user\Afkodedes8\asparagussens.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\Installer\MSI7397.tmpProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\Installer\MSI7397.tmpJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ota.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe' Jump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe' Jump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe' Jump to behavior
            Source: C:\Users\user\Afkodedes8\asparagussens.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe' Jump to behavior
            Source: C:\Windows\System32\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4800, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1048, type: MEMORY
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_00874B2C LoadLibraryA,GetProcAddress,4_2_00874B2C
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 12_2_02322412 push 95CFAB99h; iretd 12_2_023225E2
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 12_2_0232409F push edx; ret 12_2_023240A0
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 12_2_02322CD8 push ecx; ret 12_2_02322CD9
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 12_2_023214C0 push ecx; ret 12_2_023214C1
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 12_2_0232056C push eax; ret 12_2_0232056D
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 12_2_02323392 push ss; ret 12_2_023233B5
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 12_2_023215E4 push ecx; ret 12_2_023215E5
            Source: C:\Users\user\AppData\Local\Temp\ota.exeCode function: 12_2_023203EC push eax; ret 12_2_023203ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_009440B1 push ecx; ret 14_2_00944080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0094403E push ecx; ret 14_2_00944080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00943F87 push ds; retf 14_2_00943F9F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_1D40C550 push ds; ret 14_2_1D40C583
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 19_2_0211409F push edx; ret 19_2_021140A0
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 19_2_02112CD8 push ecx; ret 19_2_02112CD9
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 19_2_021114C0 push ecx; ret 19_2_021114C1
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 19_2_02113392 push ss; ret 19_2_021133B5
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 19_2_021115A3 push ecx; ret 19_2_021115E5
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 19_2_021115E6 push ecx; ret 19_2_021115E5
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 20_2_020D3E34 push eax; ret 20_2_020D3E35
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 20_2_020D3C64 push ebx; ret 20_2_020D3C65
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 20_2_020D409E push edx; ret 20_2_020D40A0
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 20_2_020D14C0 push ecx; ret 20_2_020D14C1
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 20_2_020D2CD8 push ecx; ret 20_2_020D2CD9
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 20_2_020D1D4F pushfd ; ret 20_2_020D1D59
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 20_2_020D056C push eax; ret 20_2_020D056D
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 20_2_020D03EC push eax; ret 20_2_020D03ED
            Source: C:\Users\user\Afkodedes8\asparagussens.exeCode function: 20_2_020D15E4 push ecx; ret 20_2_020D15E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_3_00E70801 pushfd ; ret 22_3_00E70802
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_00F040B1 push ecx; ret 22_2_00F04080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_00F0403E push ecx; ret 22_2_00F04080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 22_2_00F03F87 push ds; retf 22_2_00F03F9F
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Local\Temp\ota.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\Afkodedes8\asparagussens.exeJump to dropped file

            Boot Survival:

            barindex
            Creates multiple autostart registry keysShow sources
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologiskJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologiskJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologiskJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternesJump to behavior