Loading ...

Play interactive tourEdit tour

Analysis Report ddff.exe

Overview

General Information

Sample Name:ddff.exe
Analysis ID:382651
MD5:ded56210e4491797f704b4b0525238d8
SHA1:7a1ca12b56aee84bab41abb6cd4b6eb50a64ef21
SHA256:422287b67dd187c3fae4472cdf654ef69354ab78ac094dee6711874c9e59f1f4
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • ddff.exe (PID: 5444 cmdline: 'C:\Users\user\Desktop\ddff.exe' MD5: DED56210E4491797F704B4B0525238D8)
    • RegAsm.exe (PID: 3924 cmdline: 'C:\Users\user\Desktop\ddff.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 5528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "edeiF78", "URL: ": "https://t8vI5nXseaUv.com", "To: ": "sanetbehin.co@gmail.com", "ByHost: ": "mail.gcclatinoamerica.com:587", "Password: ": "6VomwXsWgiEV7", "From: ": "jobs@gcclatinoamerica.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.847807886.0000000000F02000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 3924JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 3924JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 108.179.235.108, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 3924, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49751

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: RegAsm.exe.3924.19.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "edeiF78", "URL: ": "https://t8vI5nXseaUv.com", "To: ": "sanetbehin.co@gmail.com", "ByHost: ": "mail.gcclatinoamerica.com:587", "Password: ": "6VomwXsWgiEV7", "From: ": "jobs@gcclatinoamerica.com"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: ddff.exeVirustotal: Detection: 15%Perma Link
            Machine Learning detection for sampleShow sources
            Source: ddff.exeJoe Sandbox ML: detected
            Source: ddff.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.3:49733 version: TLS 1.2

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://t8vI5nXseaUv.com
            Source: global trafficTCP traffic: 192.168.2.3:49751 -> 108.179.235.108:587
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficTCP traffic: 192.168.2.3:49751 -> 108.179.235.108:587
            Source: unknownDNS traffic detected: queries for: doc-0k-1c-docs.googleusercontent.com
            Source: RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpString found in binary or memory: http://ChSulR.com
            Source: RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpString found in binary or memory: http://mail.gcclatinoamerica.com
            Source: RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
            Source: RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
            Source: RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
            Source: RegAsm.exe, 00000013.00000002.850646188.00000000013AE000.00000004.00000020.sdmpString found in binary or memory: https://doc-0k-1c-docs.googleusercontent.com/
            Source: RegAsm.exe, 00000013.00000002.850763791.00000000013CC000.00000004.00000020.sdmpString found in binary or memory: https://doc-0k-1c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/55mju4ru
            Source: RegAsm.exe, 00000013.00000002.850646188.00000000013AE000.00000004.00000020.sdmpString found in binary or memory: https://doc-0k-1c-docs.googleusercontent.com/su
            Source: RegAsm.exe, 00000013.00000002.850301803.000000000136B000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
            Source: RegAsm.exe, 00000013.00000002.850301803.000000000136B000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/=:
            Source: RegAsm.exe, RegAsm.exe, 00000013.00000002.850301803.000000000136B000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1kid0owgaMCzRLqlPjIt2boGIIgOTgmca
            Source: RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
            Source: RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.857439462.000000001DF7D000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.857541790.000000001DFA6000.00000004.00000001.sdmpString found in binary or memory: https://t8vI5nXseaUv.com
            Source: RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownHTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.3:49733 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Installs a global keyboard hookShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00414594 OpenClipboard,0_2_00414594
            Source: ddff.exe, 00000000.00000002.408563933.00000000006E8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary:

            barindex
            Source: C:\Users\user\Desktop\ddff.exeProcess Stats: CPU usage > 98%
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08809 NtProtectVirtualMemory,19_2_00F08809
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F082D9 NtProtectVirtualMemory,19_2_00F082D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F088F4 NtProtectVirtualMemory,19_2_00F088F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F088C6 NtProtectVirtualMemory,19_2_00F088C6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F0889E NtProtectVirtualMemory,19_2_00F0889E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08875 NtProtectVirtualMemory,19_2_00F08875
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08C7F NtProtectVirtualMemory,19_2_00F08C7F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08C54 NtProtectVirtualMemory,19_2_00F08C54
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F0884D NtProtectVirtualMemory,19_2_00F0884D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08824 NtProtectVirtualMemory,19_2_00F08824
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F089CC NtProtectVirtualMemory,19_2_00F089CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F089A7 NtProtectVirtualMemory,19_2_00F089A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08979 NtProtectVirtualMemory,19_2_00F08979
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08D6E NtProtectVirtualMemory,19_2_00F08D6E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08951 NtProtectVirtualMemory,19_2_00F08951
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08922 NtProtectVirtualMemory,19_2_00F08922
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08D2C NtProtectVirtualMemory,19_2_00F08D2C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08D04 NtProtectVirtualMemory,19_2_00F08D04
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08AE3 NtProtectVirtualMemory,19_2_00F08AE3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F082D7 NtProtectVirtualMemory,19_2_00F082D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08ABE NtProtectVirtualMemory,19_2_00F08ABE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08A89 NtProtectVirtualMemory,19_2_00F08A89
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08A61 NtProtectVirtualMemory,19_2_00F08A61
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08A35 NtProtectVirtualMemory,19_2_00F08A35
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08A05 NtProtectVirtualMemory,19_2_00F08A05
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08BDE NtProtectVirtualMemory,19_2_00F08BDE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08B9F NtProtectVirtualMemory,19_2_00F08B9F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08B77 NtProtectVirtualMemory,19_2_00F08B77
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08B4B NtProtectVirtualMemory,19_2_00F08B4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08B14 NtProtectVirtualMemory,19_2_00F08B14
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004064CA0_2_004064CA
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_0040729D0_2_0040729D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F0433E19_2_00F0433E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_0125687819_2_01256878
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_01255B1819_2_01255B18
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_0128A9E819_2_0128A9E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_01287B9819_2_01287B98
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_012847F219_2_012847F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_01280DB019_2_01280DB0
            Source: ddff.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ddff.exe, 00000000.00000002.409248775.0000000002A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenyanlgg.exeFE2X vs ddff.exe
            Source: ddff.exe, 00000000.00000002.409248775.0000000002A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenyanlgg.exeFE2XN vs ddff.exe
            Source: ddff.exe, 00000000.00000002.409248775.0000000002A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenyanlgg.exeFE2X) vs ddff.exe
            Source: ddff.exe, 00000000.00000002.409248775.0000000002A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenyanlgg.exeFE2XM vs ddff.exe
            Source: ddff.exe, 00000000.00000002.409248775.0000000002A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenyanlgg.exeFE2X$ vs ddff.exe
            Source: ddff.exe, 00000000.00000002.409248775.0000000002A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs ddff.exe
            Source: ddff.exe, 00000000.00000000.195030837.0000000000419000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenyanlgg.exe vs ddff.exe
            Source: ddff.exeBinary or memory string: OriginalFilenamenyanlgg.exe vs ddff.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: ddff.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\ifg4v0bb.jflJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_01
            Source: C:\Users\user\Desktop\ddff.exeFile created: C:\Users\user\AppData\Local\Temp\~DFD9AA5F3A51F7B645.TMPJump to behavior
            Source: ddff.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\ddff.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\ddff.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: ddff.exeVirustotal: Detection: 15%
            Source: unknownProcess created: C:\Users\user\Desktop\ddff.exe 'C:\Users\user\Desktop\ddff.exe'
            Source: C:\Users\user\Desktop\ddff.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\ddff.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000013.00000002.847807886.0000000000F02000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3924, type: MEMORY
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00404E47 pushfd ; iretd 0_2_00404E48
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00404048 pushfd ; iretd 0_2_0040404C
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00406401 push ecx; iretd 0_2_00406403
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00406404 push ecx; iretd 0_2_00406406
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00406407 push ecx; iretd 0_2_00406409
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_0040640A push ecx; iretd 0_2_0040640C
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_0040640D push ecx; iretd 0_2_0040640F
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00406410 push ecx; iretd 0_2_00406412
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_0040903C push ss; retf 0_2_00409046
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004020CD pushfd ; iretd 0_2_004020FC
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00402EE9 push dword ptr [edi-4B012F33h]; retf 0_2_00402EFC
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004020FD pushfd ; iretd 0_2_00402100
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_0040336B push fs; ret 0_2_00403404
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00402301 pushfd ; iretd 0_2_00402304
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00405F05 push ecx; iretd 0_2_004063C4
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00405F05 push ecx; iretd 0_2_004063C7
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063C8 push ecx; iretd 0_2_004063CA
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063CB push ecx; iretd 0_2_004063CD
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063CE push ecx; iretd 0_2_004063D0
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063D1 push ecx; iretd 0_2_004063D3
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063D4 push ecx; iretd 0_2_004063D6
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063D7 push ecx; iretd 0_2_004063D9
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00402BD8 pushfd ; iretd 0_2_00402BE0
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063DA push ecx; iretd 0_2_004063DC
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063DD push ecx; iretd 0_2_004063DF
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063E0 push ecx; iretd 0_2_004063E2
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063E3 push ecx; iretd 0_2_004063E5
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063E6 push ecx; iretd 0_2_004063E8
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063E9 push ecx; iretd 0_2_004063EB
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063EC push ecx; iretd 0_2_004063EE
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063EF push ecx; iretd 0_2_004063F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\ddff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ddff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ddff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ddff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ddff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ddff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\ddff.exeRDTSC instruction interceptor: First address: 0000000000523AE6 second address: 0000000000523AE6 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6C0094A148h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007F6C0094A131h 0x00000026 cmp ch, dh 0x00000028 push ecx 0x00000029 call 00007F6C0094A1ADh 0x0000002e call 00007F6C0094A158h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
            Source: C:\Users\user\Desktop\ddff.exeRDTSC instruction interceptor: First address: 000000000052367A second address: 000000000052367A instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F02016 second address: 0000000000F02016 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F02162 second address: 0000000000F02162 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F022F8 second address: 0000000000F022F8 instructions:
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Tries to detect Any.runShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: ddff.exe, 00000000.00000002.408563933.00000000006E8000.00000004.00000020.sdmp, RegAsm.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\ddff.exeRDTSC instruction interceptor: First address: 0000000000523AE6 second address: 0000000000523AE6 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6C0094A148h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007F6C0094A131h 0x00000026 cmp ch, dh 0x00000028 push ecx 0x00000029 call 00007F6C0094A1ADh 0x0000002e call 00007F6C0094A158h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
            Source: C:\Users\user\Desktop\ddff.exeRDTSC instruction interceptor: First address: 0000000000523DA0 second address: 0000000000523DA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F6C0094E494h 0x0000001d popad 0x0000001e call 00007F6C0094ACCFh 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\ddff.exeRDTSC instruction interceptor: First address: 000000000052367A second address: 000000000052367A instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F03DA0 second address: 0000000000F03DA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F6C0094E494h 0x0000001d popad 0x0000001e call 00007F6C0094ACCFh 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F02016 second address: 0000000000F02016 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F02162 second address: 0000000000F02162 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F022F8 second address: 0000000000F022F8 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F034E3 rdtsc 19_2_00F034E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9499Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5848Thread sleep time: -13835058055282155s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: RegAsm.exe, 00000013.00000002.850301803.000000000136B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWX
            Source: RegAsm.exe, 00000013.00000002.858637359.0000000020720000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: RegAsm.exe, 00000013.00000002.850646188.00000000013AE000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: RegAsm.exe, 00000013.00000002.858637359.0000000020720000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: ddff.exe, 00000000.00000002.408563933.00000000006E8000.00000004.00000020.sdmp, RegAsm.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: RegAsm.exe, 00000013.00000002.858637359.0000000020720000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: RegAsm.exe, 00000013.00000002.858637359.0000000020720000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F034E3 rdtsc 19_2_00F034E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_01250A70 KiUserExceptionDispatcher,LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,19_2_01250A70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F038BB mov eax, dword ptr fs:[00000030h]19_2_00F038BB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F07C85 mov eax, dword ptr fs:[00000030h]19_2_00F07C85
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F07C33 mov eax, dword ptr fs:[00000030h]19_2_00F07C33
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F07C38 mov eax, dword ptr fs:[00000030h]19_2_00F07C38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F061D0 mov eax, dword ptr fs:[00000030h]19_2_00F061D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F06B79 mov eax, dword ptr fs:[00000030h]19_2_00F06B79