Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report New Inquiry 903838737777721102029393003938.exe

Overview

General Information

Sample Name:New Inquiry 903838737777721102029393003938.exe
Analysis ID:112557
MD5:01a54f73856cfb74a3bbba47bcec227b
SHA1:ed2ed885dcd7be832cdae5c189bd7db78ca9eaa2
SHA256:759c87f02d5850ee317454dc8242067d042a320f653946c9162b645c0ae68ba6

Most interesting Screenshot:

Detection

GuLoader LuminosityLink
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Yara detected LuminosityLink RAT
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Installs a global keyboard hook
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64native
  • New Inquiry 903838737777721102029393003938.exe (PID: 6652 cmdline: 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' MD5: 01A54F73856CFB74A3BBBA47BCEC227B)
    • RegAsm.exe (PID: 1576 cmdline: 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)
    • RegAsm.exe (PID: 1440 cmdline: 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)
      • conhost.exe (PID: 1584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C221707E5CE93515AC87507E19181E2A)
      • anibtcent.exe.exe (PID: 4188 cmdline: 'C:\ProgramData\782401\anibtcent.exe.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)
        • conhost.exe (PID: 1500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C221707E5CE93515AC87507E19181E2A)
  • demisphereklediskene.exe (PID: 1812 cmdline: 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe' MD5: 01A54F73856CFB74A3BBBA47BCEC227B)
    • RegAsm.exe (PID: 4328 cmdline: 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)
      • conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C221707E5CE93515AC87507E19181E2A)
  • RegAsm.exe (PID: 2652 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)
    • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C221707E5CE93515AC87507E19181E2A)
  • demisphereklediskene.exe (PID: 2140 cmdline: 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe' MD5: 01A54F73856CFB74A3BBBA47BCEC227B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmpJoeSecurity_LuminosityLinkYara detected LuminosityLink RATJoe Security
      00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: RegAsm.exe PID: 1440JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
          Process Memory Space: RegAsm.exe PID: 1440JoeSecurity_LuminosityLinkYara detected LuminosityLink RATJoe Security
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeVirustotal: Detection: 20%Perma Link
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeReversingLabs: Detection: 18%
            Multi AV Scanner detection for submitted fileShow sources
            Source: New Inquiry 903838737777721102029393003938.exeVirustotal: Detection: 20%Perma Link
            Source: New Inquiry 903838737777721102029393003938.exeReversingLabs: Detection: 18%
            Yara detected LuminosityLink RATShow sources
            Source: Yara matchFile source: 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY

            Bitcoin Miner:

            barindex
            Yara detected LuminosityLink RATShow sources
            Source: Yara matchFile source: 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY
            Source: global trafficTCP traffic: 192.168.0.80:49780 -> 194.5.97.46:3021
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: RegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: RegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: RegAsm.exe, 0000000D.00000002.24301548535.00000000010C1000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: RegAsm.exe, 0000000D.00000002.24328207020.0000000021190000.00000002.00000001.sdmpString found in binary or memory: https://aka.ms/hcsadmin
            Source: RegAsm.exe, 0000000D.00000002.24301095324.000000000107D000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265110684.0000000000E2E000.00000004.00000020.sdmpString found in binary or memory: https://eaup2w.sn.files.1drv.com/
            Source: RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265299276.0000000000E52000.00000004.00000020.sdmpString found in binary or memory: https://eaup2w.sn.files.1drv.com/y4m4bqAkwHQUJx1iHbF6prKSSCddXNt-56Mg951zMrckoiAx-x88t2pks0UEJqWB7st
            Source: RegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 0000000D.00000002.24301548535.00000000010C1000.00000004.00000020.sdmpString found in binary or memory: https://eaup2w.sn.files.1drv.com/y4mcRoU26afjmMcM96C_CG1xmFAJaGVWXqZWLE8oSmKi-bsn2pOmBTUtvaCnggDIr1k
            Source: RegAsm.exe, 0000000D.00000002.24300776016.000000000104B000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24264785299.0000000000DDB000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: RegAsm.exe, 00000013.00000002.24265110684.0000000000E2E000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=249E8FCE0A15C968&resid=249E8FCE0A15C968%211276&authkey=ADoYXV
            Source: RegAsm.exe, 00000013.00000002.24264785299.0000000000DDB000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/l
            Source: RegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Installs a global keyboard hookShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior

            E-Banking Fraud:

            barindex
            Yara detected LuminosityLink RATShow sources
            Source: Yara matchFile source: 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_02240A3F NtSetInformationThread,3_2_02240A3F
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_02240AA2 NtSetInformationThread,3_2_02240AA2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F09EF3 NtSetInformationThread,13_2_00F09EF3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F005E5 EnumWindows,NtSetInformationThread,13_2_00F005E5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F09B4C NtProtectVirtualMemory,13_2_00F09B4C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F016BE NtSetInformationThread,13_2_00F016BE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F00A7A NtSetInformationThread,13_2_00F00A7A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F09E56 NtProtectVirtualMemory,13_2_00F09E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F00631 NtSetInformationThread,13_2_00F00631
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F00629 NtSetInformationThread,13_2_00F00629
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F011F0 NtSetInformationThread,13_2_00F011F0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F01719 NtSetInformationThread,13_2_00F01719
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_204F2CD2 NtQuerySystemInformation,13_2_204F2CD2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_204F2C97 NtQuerySystemInformation,13_2_204F2C97
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeCode function: 18_2_021C0A3F NtSetInformationThread,18_2_021C0A3F
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeCode function: 18_2_021C0AA2 NtSetInformationThread,18_2_021C0AA2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C39EF3 NtSetInformationThread,19_2_00C39EF3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C305E5 EnumWindows,NtSetInformationThread,19_2_00C305E5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C39B4C NtProtectVirtualMemory,19_2_00C39B4C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C316BE NtSetInformationThread,19_2_00C316BE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C39E56 NtProtectVirtualMemory,19_2_00C39E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C30A7A NtSetInformationThread,19_2_00C30A7A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C3A824 NtQueryInformationProcess,19_2_00C3A824
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C30629 NtSetInformationThread,19_2_00C30629
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C30631 NtSetInformationThread,19_2_00C30631
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C311F0 NtSetInformationThread,19_2_00C311F0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C3A30D NtQueryInformationProcess,19_2_00C3A30D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C39F12 NtQueryInformationProcess,19_2_00C39F12
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C31719 NtSetInformationThread,19_2_00C31719
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Windows\SysWOW64\clientsvr.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F005E513_2_00F005E5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE1E1E13_2_1FEE1E1E
            Source: C:\ProgramData\782401\anibtcent.exe.exeCode function: 16_2_050F01B716_2_050F01B7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C305E519_2_00C305E5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00C801B721_2_00C801B7
            Source: New Inquiry 903838737777721102029393003938.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: demisphereklediskene.exe.13.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24036753540.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStrenger.exe vs New Inquiry 903838737777721102029393003938.exe
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24037858669.00000000005E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs New Inquiry 903838737777721102029393003938.exe
            Source: New Inquiry 903838737777721102029393003938.exeBinary or memory string: OriginalFilenameStrenger.exe vs New Inquiry 903838737777721102029393003938.exe
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeSection loaded: vb6zz.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeSection loaded: vb6zz.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeSection loaded: vb6zz.dllJump to behavior
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@16/8@10/2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_204F2A92 AdjustTokenPrivileges,13_2_204F2A92
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_204F2A5B AdjustTokenPrivileges,13_2_204F2A5B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\Hustankesgy3Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1500:120:WilError_02
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1584:120:WilError_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_02
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\7433cdb324b04dd5e3c3db213381216c7c539baa
            Source: New Inquiry 903838737777721102029393003938.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9fbf7494605b6eb9632b0c9bfc1683d9\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9fbf7494605b6eb9632b0c9bfc1683d9\mscorlib.ni.dllJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9fbf7494605b6eb9632b0c9bfc1683d9\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9fbf7494605b6eb9632b0c9bfc1683d9\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: New Inquiry 903838737777721102029393003938.exeVirustotal: Detection: 20%
            Source: New Inquiry 903838737777721102029393003938.exeReversingLabs: Detection: 18%
            Source: unknownProcess created: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\782401\anibtcent.exe.exe 'C:\ProgramData\782401\anibtcent.exe.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Hustankesgy3\demisphereklediskene.exe 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Hustankesgy3\demisphereklediskene.exe 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe'
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' Jump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\ProgramData\782401\anibtcent.exe.exe 'C:\ProgramData\782401\anibtcent.exe.exe' Jump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9554_none_d08d6fa2442aa556\MSVCR80.dllJump to behavior
            Source: Binary string: RegAsm.pdb source: RegAsm.exe, 0000000D.00000002.24325004854.000000001FFF5000.00000004.00000001.sdmp, anibtcent.exe.exe, anibtcent.exe.exe.13.dr
            Source: Binary string: mscorrc.pdb source: RegAsm.exe, 0000000D.00000002.24324313659.000000001FF60000.00000002.00000001.sdmp, RegAsm.exe, 00000013.00000002.24283755110.000000001FDF0000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4328, type: MEMORY
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040E750 pushad ; ret 3_2_0040E7DF
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00406A5A push ecx; retf 3_2_00406A5B
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040E77E pushad ; ret 3_2_0040E7DF
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00406418 push ecx; retf 3_2_0040642F
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00409FC6 push ecx; ret 3_2_00409FC7
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040A6C9 push ebx; retf 3_2_0040A6D3
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00409FE7 push ebx; retf 3_2_00409FF3
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040A6EC push ebx; retf 3_2_0040A703
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00409F88 push ebx; retf 3_2_00409F8F
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040A68E push ebx; retf 3_2_0040A703
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00409FAC push ebx; retf 3_2_00409FBF
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040A0B0 push ecx; ret 3_2_0040A0C3
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_004063B8 push ecx; retf 3_2_0040642F
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00409EBE push ebp; retf 3_2_00409EF3
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_02240A3F push cs; retf 3_2_02240A91
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_02243604 push edi; ret 3_2_0224360E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1DB256F5 push edx; iretd 13_2_1DB256F6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1DB22E29 push ds; iretd 13_2_1DB23206
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1DB23662 push ecx; ret 13_2_1DB2366D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE39A1 push ebp; retf 13_2_1FEE39A2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3D9B push esi; retf 13_2_1FEE3DA2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3D98 push esi; retf 13_2_1FEE3D9A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3921 push esp; retf 13_2_1FEE3922
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3EEB push edi; retf 13_2_1FEE3EF2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3EE8 push edi; retf 13_2_1FEE3EEA
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE0AD8 push F01DCB26h; retf 13_2_1FEE0ADD
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3843 push esp; retf 13_2_1FEE384A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3841 push esp; retf 13_2_1FEE3842
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE0006 push ss; retf 13_2_1FEE002E
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeCode function: 18_2_021C0A3F push cs; retf 18_2_021C0A91
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_0241000C pushfd ; retf 21_2_02410053
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\ProgramData\782401\anibtcent.exe.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Windows\SysWOW64\clientsvr.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\Hustankesgy3\demisphereklediskene.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\ProgramData\782401\anibtcent.exe.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Windows\SysWOW64\clientsvr.exeJump to dropped file

            Boot Survival:

            barindex
            Creates an autostart registry key pointing to binary in C:\WindowsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior
            Creates an undocumented autostart registry key Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
            Creates multiple autostart registry keysShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnessesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnessesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnessesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnessesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnessesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F08F5A 13_2_00F08F5A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C38F5A 19_2_00C38F5A
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24037990478.00000000005FA000.00000004.00000020.sdmpBinary or memory string: _ROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Source: RegAsm.exe, 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, RegAsm.exe, 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeRDTSC instruction interceptor: First address: 000000000224468B second address: 000000000224468B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F8484416248h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f cmp ax, cx 0x00000022 test edx, eax 0x00000024 pop ecx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp cx, dx 0x0000002b cmp ecx, 00000000h 0x0000002e jne 00007F8484416228h 0x00000030 push ecx 0x00000031 cmp ax, ax 0x00000034 call 00007F848441626Bh 0x00000039 call 00007F848441625Ah 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F016BE rdtsc 13_2_00F016BE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 1395Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6984Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6168Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1564Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1528Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exe TID: 2812Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6900Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5616Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
            Source: demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
            Source: RegAsm.exe, 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
            Source: demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: vmicvss
            Source: RegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265299276.0000000000E52000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW&
            Source: RegAsm.exe, 0000000D.00000002.24300776016.000000000104B000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24264785299.0000000000DDB000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: RegAsm.exe, 00000013.00000002.24265233992.0000000000E4A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWen-USn
            Source: RegAsm.exe, 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, RegAsm.exe, 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
            Source: RegAsm.exe, 0000000D.00000002.24328207020.0000000021190000.00000002.00000001.sdmpBinary or memory string: Insufficient privileges. Only administrators or users that are members of the Hyper-V Administrators user group are permitted to access virtual machines or containers. To add yourself to the Hyper-V Administrators user group, please see https://aka.ms/hcsadmin for more information.
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24037990478.00000000005FA000.00000004.00000020.sdmpBinary or memory string: _rogram Files\Qemu-ga\qemu-ga.exe
            Source: demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F09EF3 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C013_2_00F09EF3
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F016BE rdtsc 13_2_00F016BE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F02A91 mov eax, dword ptr fs:[00000030h]13_2_00F02A91
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F0949D mov eax, dword ptr fs:[00000030h]13_2_00F0949D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F01E6C mov eax, dword ptr fs:[00000030h]13_2_00F01E6C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F081B7 mov eax, dword ptr fs:[00000030h]13_2_00F081B7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F08799 mov eax, dword ptr fs:[00000030h]13_2_00F08799
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F04109 mov eax, dword ptr fs:[00000030h]13_2_00F04109
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C32A91 mov eax, dword ptr fs:[00000030h]19_2_00C32A91
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C3949D mov eax, dword ptr fs:[00000030h]19_2_00C3949D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C31E6C mov eax, dword ptr fs:[00000030h]19_2_00C31E6C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C38799 mov eax, dword ptr fs:[00000030h]19_2_00C38799
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C381B7 mov eax, dword ptr fs:[00000030h]19_2_00C381B7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C34109 mov eax, dword ptr fs:[00000030h]19_2_00C34109
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: F00000Jump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: C30000Jump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' Jump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\ProgramData\782401\anibtcent.exe.exe 'C:\ProgramData\782401\anibtcent.exe.exe' Jump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe' Jump to behavior
            Source: RegAsm.exe, 0000000D.00000002.24304442627.00000000016E1000.00000002.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24301285647.0000000000D21000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: RegAsm.exe, 0000000D.00000002.24304442627.00000000016E1000.00000002.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24301285647.0000000000D21000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: RegAsm.exe, 0000000D.00000002.24304442627.00000000016E1000.00000002.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24301285647.0000000000D21000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: RegAsm.exe, 0000000D.00000002.24304442627.00000000016E1000.00000002.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24301285647.0000000000D21000.00000002.00000001.sdmpBinary or memory string: 1Program Manager
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected LuminosityLink RATShow sources
            Source: Yara matchFile source: 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected LuminosityLink RATShow sources
            Source: Yara matchFile source: 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Registry Run Keys / Startup Folder31Access Token Manipulation1Masquerading21Input Capture11Security Software Discovery821Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobDLL Side-Loading1Process Injection112Virtualization/Sandbox Evasion33LSASS MemoryVirtualization/Sandbox Evasion33Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder31Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)DLL Side-Loading1Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncSystem Information Discovery22Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 112557 Sample: New Inquiry   9038387377777... Startdate: 17/09/2020 Architecture: WINDOWS Score: 100 43 onedrive.live.com 2->43 45 eaup2w.sn.files.1drv.com 2->45 57 Potential malicious icon found 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected GuLoader 2->61 63 3 other signatures 2->63 9 New Inquiry   903838737777721102029393003938.exe 2->9         started        12 demisphereklediskene.exe 2->12         started        14 RegAsm.exe 4 2->14         started        16 demisphereklediskene.exe 2->16         started        signatures3 process4 signatures5 83 Writes to foreign memory regions 9->83 85 Tries to detect Any.run 9->85 87 Hides threads from debuggers 9->87 18 RegAsm.exe 6 23 9->18         started        23 RegAsm.exe 9->23         started        89 Multi AV Scanner detection for dropped file 12->89 25 RegAsm.exe 10 12->25         started        27 conhost.exe 14->27         started        process6 dnsIp7 47 nobawi.dvrdns.org 194.5.97.46, 3021, 49780, 49781 DANILENKODE Netherlands 18->47 49 192.168.0.2 unknown unknown 18->49 55 2 other IPs or domains 18->55 37 C:\Users\user\...\demisphereklediskene.exe, PE32 18->37 dropped 39 C:\Windows\SysWOW64\clientsvr.exe, PE32 18->39 dropped 41 C:\ProgramData\782401\anibtcent.exe.exe, PE32 18->41 dropped 65 Creates an undocumented autostart registry key 18->65 67 Creates multiple autostart registry keys 18->67 69 Creates an autostart registry key pointing to binary in C:\Windows 18->69 81 2 other signatures 18->81 29 anibtcent.exe.exe 4 18->29         started        31 conhost.exe 18->31         started        71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->71 73 Contains functionality to detect hardware virtualization (CPUID execution measurement) 23->73 75 Contains functionality to hide a thread from the debugger 23->75 51 onedrive.live.com 25->51 53 eaup2w.sn.files.1drv.com 25->53 77 Tries to detect Any.run 25->77 79 Hides threads from debuggers 25->79 33 conhost.exe 25->33         started        file8 signatures9 process10 process11 35 conhost.exe 29->35         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            New Inquiry 903838737777721102029393003938.exe21%VirustotalBrowse
            New Inquiry 903838737777721102029393003938.exe19%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\ProgramData\782401\anibtcent.exe.exe0%VirustotalBrowse
            C:\ProgramData\782401\anibtcent.exe.exe0%MetadefenderBrowse
            C:\ProgramData\782401\anibtcent.exe.exe0%ReversingLabs
            C:\Users\user\Hustankesgy3\demisphereklediskene.exe21%VirustotalBrowse
            C:\Users\user\Hustankesgy3\demisphereklediskene.exe19%ReversingLabs
            C:\Windows\SysWOW64\clientsvr.exe0%VirustotalBrowse
            C:\Windows\SysWOW64\clientsvr.exe0%MetadefenderBrowse
            C:\Windows\SysWOW64\clientsvr.exe0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            nobawi.dvrdns.org
            		194.5.97.46
            		truefalse
              		unknown
              onedrive.live.com
              		unknown
              		unknownfalse
                		high
                eaup2w.sn.files.1drv.com
                		unknown
                		unknownfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://eaup2w.sn.files.1drv.com/RegAsm.exe, 0000000D.00000002.24301095324.000000000107D000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265110684.0000000000E2E000.00000004.00000020.sdmpfalse
                    		high
                    https://onedrive.live.com/lRegAsm.exe, 00000013.00000002.24264785299.0000000000DDB000.00000004.00000020.sdmpfalse
                      		high
                      https://aka.ms/hcsadminRegAsm.exe, 0000000D.00000002.24328207020.0000000021190000.00000002.00000001.sdmpfalse
                        		high
                        https://onedrive.live.com/RegAsm.exe, 0000000D.00000002.24300776016.000000000104B000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24264785299.0000000000DDB000.00000004.00000020.sdmpfalse
                          		high
                          https://eaup2w.sn.files.1drv.com/y4m4bqAkwHQUJx1iHbF6prKSSCddXNt-56Mg951zMrckoiAx-x88t2pks0UEJqWB7stRegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265299276.0000000000E52000.00000004.00000020.sdmpfalse
                            		high
                            https://eaup2w.sn.files.1drv.com/y4mcRoU26afjmMcM96C_CG1xmFAJaGVWXqZWLE8oSmKi-bsn2pOmBTUtvaCnggDIr1kRegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 0000000D.00000002.24301548535.00000000010C1000.00000004.00000020.sdmpfalse
                              		high
                              https://onedrive.live.com/download?cid=249E8FCE0A15C968&resid=249E8FCE0A15C968%211276&authkey=ADoYXVRegAsm.exe, 00000013.00000002.24265110684.0000000000E2E000.00000004.00000020.sdmpfalse
                                		high

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPCountryFlagASNASN NameMalicious
                                194.5.97.46
                                		Netherlands
                                		208476DANILENKODEfalse

                                Private

                                IP
                                192.168.0.2

                                General Information

                                Joe Sandbox Version:30.0.0 Red Diamond
                                Analysis ID:112557
                                Start date:17.09.2020
                                Start time:09:13:31
                                Joe Sandbox Product:Cloud
                                Overall analysis duration:0h 8m 22s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:New Inquiry 903838737777721102029393003938.exe
                                Cookbook file name:default.jbs
                                Analysis system description:W10 x64 1809 Native physical Machine for testing VM-aware malware (Office 2016, Internet Explorer 11, Java 8u231, Adobe Reader DC 19)
                                Number of analysed new started processes analysed:24
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.rans.troj.spyw.evad.winEXE@16/8@10/2
                                EGA Information:
                                • Successful, ratio: 71.4%
                                HDC Information:
                                • Successful, ratio: 53.8% (good quality ratio 19.1%)
                                • Quality average: 24.7%
                                • Quality standard deviation: 36.3%
                                HCA Information:
                                • Successful, ratio: 96%
                                • Number of executed functions: 265
                                • Number of non-executed functions: 19
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, LocalBridge.exe, backgroundTaskHost.exe, WmiPrvSE.exe
                                • Excluded IPs from analysis (whitelisted): 205.185.216.10, 205.185.216.42, 40.67.251.132, 23.55.161.163, 23.55.161.152, 13.107.42.13, 13.107.42.12, 40.90.22.186, 40.90.22.191, 40.90.22.183, 40.90.22.192, 40.90.22.189, 40.90.22.184, 40.90.22.188, 40.90.22.187, 51.143.111.7
                                • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, client.wns.windows.com, odc-web-geo.onedrive.akadns.net, odc-sn-files-geo.onedrive.akadns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, emea2.notify.windows.com.akadns.net, login.msa.msidentity.com, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, umwatsonrouting.trafficmanager.net, db5p.wns.notify.windows.com.akadns.net, odc-sn-files-brs.onedrive.akadns.net, l-0003.l-msedge.net, login.live.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, odc-sn-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                • Execution Graph export aborted for target demisphereklediskene.exe, PID 1812 because there are no executed function
                                • Execution Graph export aborted for target demisphereklediskene.exe, PID 2140 because there are no executed function
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Signature Similarity

                                Sample Distance (10 = nearest)
                                10 9 8 7 6 5 4 3 2 1
                                Samplename Analysis ID SHA256 Similarity

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                09:17:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnesses C:\Users\user\Hustankesgy3\demisphereklediskene.exe
                                09:17:34API Interceptor4x Sleep call for process: RegAsm.exe modified
                                09:17:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKP "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
                                09:17:47AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnesses C:\Users\user\Hustankesgy3\demisphereklediskene.exe
                                09:17:55AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKP "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                DANILENKODENotificare de expediere a serviciului de curierat FAN.exeGet hashmaliciousBrowse
                                • 194.5.98.4
                                Stub.exeGet hashmaliciousBrowse
                                • 194.5.97.76
                                CEsezvn5.exeGet hashmaliciousBrowse
                                • 194.5.97.98
                                order_doc#79922021.pdf.exeGet hashmaliciousBrowse
                                • 194.5.97.76
                                Specifications Drawing Sketch Details-img.exeGet hashmaliciousBrowse
                                • 194.5.98.23
                                5wJh9Cykwx.exeGet hashmaliciousBrowse
                                • 194.5.98.68
                                u51x5QFXXu.exeGet hashmaliciousBrowse
                                • 194.5.97.55
                                2020.09.01.SS.08.39_Export.pdf.exeGet hashmaliciousBrowse
                                • 194.5.97.23
                                jBMJ2TUHK4.exeGet hashmaliciousBrowse
                                • 194.5.98.95
                                m5ug7w1BclUkH8g.exeGet hashmaliciousBrowse
                                • 194.5.98.225
                                KR-310820.EXEGet hashmaliciousBrowse
                                • 194.5.97.15
                                QgpyVFbQ7w.exeGet hashmaliciousBrowse
                                • 194.5.98.95
                                Pos withdrawal reduced to 0.5%.exeGet hashmaliciousBrowse
                                • 194.5.97.16
                                U5AxjHFcx0zbmCE.exeGet hashmaliciousBrowse
                                • 194.5.97.93
                                SecuriteInfo.com.ArtemisF2D018C0AB1C.exeGet hashmaliciousBrowse
                                • 194.5.98.95
                                SecuriteInfo.com.Trojan.Inject3.53454.32340.exeGet hashmaliciousBrowse
                                • 194.5.98.95
                                RFQ_282008.exeGet hashmaliciousBrowse
                                • 194.5.97.15
                                RFQ_HartBrothersLimited7685745646490SD.xlsmGet hashmaliciousBrowse
                                • 194.5.98.249
                                PO-250820.exeGet hashmaliciousBrowse
                                • 194.5.97.15
                                PO-260820.exeGet hashmaliciousBrowse
                                • 194.5.97.15

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\7433cdb324b04dd5e3c3db213381216c7c539baa
                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                File Type:ASCII text, with no line terminators
                                Size (bytes):6
                                Entropy (8bit):2.584962500721156
                                Encrypted:false
                                MD5:332825AF0394E728F74AFD416AF782DE
                                SHA1:2E1F37FCDF50AD24B9CF565340B4192031B4DA4F
                                SHA-256:7E8E21F8DAAE7B8A0C1FC6AB294A32226B12024405C6B841B402FC1E21A358E1
                                SHA-512:D8D386CA3208A7F9AF56C4DDC717D14D5796DB9A265C75ACBA3CA5139332891172A68334B050C3C358B4CAE7165FDF14C1798FE7ABE2DC23AE9054060910D060
                                Malicious:false
                                Reputation:low
                                Preview: 782501
                                C:\ProgramData\782401\anibtcent.exe.exe
                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                Size (bytes):53248
                                Entropy (8bit):4.489035167606714
                                Encrypted:false
                                MD5:6AFAE79556E125202DCF1D3FE74A3638
                                SHA1:1F0CD73E2A999298F4AACC9F4F4435D0E0C5841E
                                SHA-256:3A2671887FA27F16624D0E560985DE57C421B686AF6546ECF799F96B301E4DDD
                                SHA-512:E418A6A5EE03253D9CE5EF5A414AF1F89940FA1BD47DA47110EA8CFBA037669DD052AC5E2B8AE45938C09B25B071ECC1307251059D77B494C359E0C8924AF081
                                Malicious:false
                                Antivirus:
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                • Antivirus: Metadefender, Detection: 0%, Browse
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:low
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:dj[..................... .......... ........@.. ..............................H$....@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                File Type:ASCII text, with CRLF line terminators
                                Size (bytes):20
                                Entropy (8bit):3.6841837197791887
                                Encrypted:false
                                MD5:B3AC9D09E3A47D5FD00C37E075A70ECB
                                SHA1:AD14E6D0E07B00BD10D77A06D68841B20675680B
                                SHA-256:7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
                                SHA-512:09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview: 1,"fusion","GAC",0..
                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\anibtcent.exe.exe.log
                                Process:C:\ProgramData\782401\anibtcent.exe.exe
                                File Type:ASCII text, with CRLF line terminators
                                Size (bytes):20
                                Entropy (8bit):3.6841837197791887
                                Encrypted:false
                                MD5:B3AC9D09E3A47D5FD00C37E075A70ECB
                                SHA1:AD14E6D0E07B00BD10D77A06D68841B20675680B
                                SHA-256:7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
                                SHA-512:09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview: 1,"fusion","GAC",0..
                                C:\Users\user\Hustankesgy3\demisphereklediskene.exe
                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Size (bytes):77824
                                Entropy (8bit):4.268810997769698
                                Encrypted:false
                                MD5:01A54F73856CFB74A3BBBA47BCEC227B
                                SHA1:ED2ED885DCD7BE832CDAE5C189BD7DB78CA9EAA2
                                SHA-256:759C87F02D5850EE317454DC8242067D042A320F653946C9162B645C0AE68BA6
                                SHA-512:C14F28C00A7344F039BFC30D658E3E5C1D3DB08EA7AC31F4574587F8FE17492DD2E0D73374CDEC51A90E79D5569F21645BC4E59EBE5A1362CC5E04A8CAAD8516
                                Malicious:true
                                Antivirus:
                                • Antivirus: Virustotal, Detection: 21%, Browse
                                • Antivirus: ReversingLabs, Detection: 19%
                                Reputation:low
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i......................*..............Rich....................PE..L......X.....................0....................@..........................@..............................................t...(....0..$...................................................................0... ....................................text...d........................... ..`.data...............................@....rsrc...$....0....... ..............@..@...I............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Windows\SysWOW64\clientsvr.exe
                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                Size (bytes):53248
                                Entropy (8bit):4.489035167606714
                                Encrypted:false
                                MD5:6AFAE79556E125202DCF1D3FE74A3638
                                SHA1:1F0CD73E2A999298F4AACC9F4F4435D0E0C5841E
                                SHA-256:3A2671887FA27F16624D0E560985DE57C421B686AF6546ECF799F96B301E4DDD
                                SHA-512:E418A6A5EE03253D9CE5EF5A414AF1F89940FA1BD47DA47110EA8CFBA037669DD052AC5E2B8AE45938C09B25B071ECC1307251059D77B494C359E0C8924AF081
                                Malicious:false
                                Antivirus:
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                • Antivirus: Metadefender, Detection: 0%, Browse
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:low
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:dj[..................... .......... ........@.. ..............................H$....@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                \Device\ConDrv
                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                File Type:ASCII text, with CRLF line terminators
                                Size (bytes):1010
                                Entropy (8bit):4.301794875780381
                                Encrypted:false
                                MD5:89358C11D21070BAC4F92BFA5F9034FF
                                SHA1:8D94E1B07DE5B7BC0A819709478FBC62F627296F
                                SHA-256:B5C37651006A8E8BA3D665795B374F5047796B0EFB4B664134654CDF869EBBF0
                                SHA-512:5D519C044F7B1781D78632B7857B87DD4ADE4AD39868A79D50C2055D917D43898540A05CF5DD4A65AC68E71F8D7751D24353153D5289BBE60118F7FC31AC8FA1
                                Malicious:false
                                Reputation:low
                                Preview: Microsoft (R) .NET Framework Assembly Registration Utility 2.0.50727.9031..Copyright (C) Microsoft Corporation 1998-2004. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information.. /? or /help Display this usage

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):4.268810997769698
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.15%
                                • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:New Inquiry 903838737777721102029393003938.exe
                                File size:77824
                                MD5:01a54f73856cfb74a3bbba47bcec227b
                                SHA1:ed2ed885dcd7be832cdae5c189bd7db78ca9eaa2
                                SHA256:759c87f02d5850ee317454dc8242067d042a320f653946c9162b645c0ae68ba6
                                SHA512:c14f28c00a7344f039bfc30d658e3e5c1d3db08ea7ac31f4574587f8fe17492dd2e0d73374cdec51a90e79d5569f21645bc4e59ebe5a1362cc5e04a8caad8516
                                SSDEEP:768:tidhxH/lEJLqTyouZbjbKel+SA2sJ80Mos:tchVWJLkyoKbR+SsJ817
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L......X.....................0....................@........

                                File Icon

                                Icon Hash:20047c7c70f0e004

                                Static PE Info

                                General

                                Entrypoint:0x401198
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                DLL Characteristics:
                                Time Stamp:0x58E2F1AE [Tue Apr 4 01:06:54 2017 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:68aad53882cd0699d0056766eec5d383

                                Entrypoint Preview

                                Instruction
                                push 0040152Ch
                                call 00007F8484E1D895h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                xor byte ptr [eax], al
                                add byte ptr [eax], al
                                dec eax
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [edi], cl
                                into
                                jbe 00007F8484E1D8EBh
                                ret
                                cmp al, 59h
                                dec eax
                                mov ebp, F52EDF18h
                                mov edi, 0000DE0Dh
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add dword ptr [eax], eax
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                push edi
                                push 6E657469h
                                jnc 00007F8484E1D912h
                                popad
                                je 00007F8484E1D918h
                                imul esi, dword ptr [edi+33h], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                dec esp
                                xor dword ptr [eax], eax
                                add al, 7Fh
                                mov al, 11h
                                popfd
                                xchg eax, ebp
                                sbb eax, C8A14621h
                                mov al, 14h
                                pushad

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x108740x28.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x130000x924.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
                                IMAGE_DIRECTORY_ENTRY_IAT0x10000x94.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000xfb640x10000False0.325119018555data4.5495521333IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .data0x110000x13b00x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                .rsrc0x130000x9240x1000False0.173583984375data2.00822109273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_ICON0x137f40x130data
                                RT_ICON0x1350c0x2e8data
                                RT_ICON0x133e40x128GLS_BINARY_LSB_FIRST
                                RT_GROUP_ICON0x133b40x30data
                                RT_VERSION0x131500x264dataFrenchFrance

                                Imports

                                DLLImport
                                MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                                Version Infos

                                DescriptionData
                                Translation0x040c 0x04b0
                                InternalNameStrenger
                                FileVersion1.00
                                CompanyNameBaconSplitter
                                CommentsBaconSplitter
                                ProductNameWhitenspagettiw3
                                ProductVersion1.00
                                OriginalFilenameStrenger.exe

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                FrenchFrance

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                09/17/20-09:17:35.647111UDP254DNS SPOOF query response with TTL of 1 min. and no authority53626441.1.1.1192.168.0.80
                                09/17/20-09:17:45.373911UDP254DNS SPOOF query response with TTL of 1 min. and no authority53579981.1.1.1192.168.0.80
                                09/17/20-09:17:49.824955UDP254DNS SPOOF query response with TTL of 1 min. and no authority53625661.1.1.1192.168.0.80

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 17, 2020 09:17:35.654803991 CEST497803021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:38.653953075 CEST497803021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:44.667840958 CEST497803021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:45.192441940 CEST302149780194.5.97.46192.168.0.80
                                Sep 17, 2020 09:17:45.375614882 CEST497813021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:48.385880947 CEST497813021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:48.396872044 CEST302149781194.5.97.46192.168.0.80
                                Sep 17, 2020 09:17:48.901237965 CEST497813021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:49.494385004 CEST302149781194.5.97.46192.168.0.80
                                Sep 17, 2020 09:17:49.826248884 CEST497843021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:50.117470980 CEST302149784194.5.97.46192.168.0.80
                                Sep 17, 2020 09:17:50.619613886 CEST497843021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:50.794392109 CEST302149784194.5.97.46192.168.0.80
                                Sep 17, 2020 09:17:51.306924105 CEST497843021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:54.958060980 CEST302149784194.5.97.46192.168.0.80
                                Sep 17, 2020 09:17:55.088757038 CEST497853021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:55.265065908 CEST302149785194.5.97.46192.168.0.80
                                Sep 17, 2020 09:17:55.774595022 CEST497853021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:18:01.788693905 CEST497853021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:18:02.425591946 CEST302149785194.5.97.46192.168.0.80

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 17, 2020 09:16:15.561140060 CEST4945153192.168.0.801.1.1.1
                                Sep 17, 2020 09:16:15.565572977 CEST53494511.1.1.1192.168.0.80
                                Sep 17, 2020 09:16:21.787764072 CEST5550653192.168.0.801.1.1.1
                                Sep 17, 2020 09:16:21.791841984 CEST53555061.1.1.1192.168.0.80
                                Sep 17, 2020 09:16:31.149914026 CEST6384553192.168.0.801.1.1.1
                                Sep 17, 2020 09:16:31.169645071 CEST53638451.1.1.1192.168.0.80
                                Sep 17, 2020 09:16:34.521147966 CEST5600453192.168.0.801.1.1.1
                                Sep 17, 2020 09:16:34.532773018 CEST53560041.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:29.691212893 CEST5770853192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:29.695420980 CEST53577081.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:30.439835072 CEST5607953192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:30.530215025 CEST53560791.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:35.487384081 CEST6264453192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:35.647110939 CEST53626441.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:45.353795052 CEST5799853192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:45.373910904 CEST53579981.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:48.758219957 CEST4972153192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:48.767934084 CEST53497211.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:49.451086998 CEST5367653192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:49.516685009 CEST53536761.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:49.611742020 CEST6256653192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:49.824954987 CEST53625661.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:55.077337027 CEST5207553192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:55.087174892 CEST53520751.1.1.1192.168.0.80
                                Sep 17, 2020 09:18:01.974023104 CEST5139453192.168.0.801.1.1.1
                                Sep 17, 2020 09:18:01.993537903 CEST53513941.1.1.1192.168.0.80
                                Sep 17, 2020 09:18:02.650759935 CEST5603853192.168.0.801.1.1.1
                                Sep 17, 2020 09:18:02.655469894 CEST53560381.1.1.1192.168.0.80
                                Sep 17, 2020 09:18:03.229505062 CEST6246953192.168.0.801.1.1.1
                                Sep 17, 2020 09:18:03.233412981 CEST53624691.1.1.1192.168.0.80
                                Sep 17, 2020 09:18:03.276026011 CEST5927553192.168.0.801.1.1.1
                                Sep 17, 2020 09:18:03.287719965 CEST53592751.1.1.1192.168.0.80

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Sep 17, 2020 09:17:29.691212893 CEST192.168.0.801.1.1.10x196bStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:30.439835072 CEST192.168.0.801.1.1.10x5ee6Standard query (0)eaup2w.sn.files.1drv.comA (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:35.487384081 CEST192.168.0.801.1.1.10x56aaStandard query (0)nobawi.dvrdns.orgA (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:45.353795052 CEST192.168.0.801.1.1.10x4529Standard query (0)nobawi.dvrdns.orgA (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:48.758219957 CEST192.168.0.801.1.1.10x4adbStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:49.451086998 CEST192.168.0.801.1.1.10x83c6Standard query (0)eaup2w.sn.files.1drv.comA (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:49.611742020 CEST192.168.0.801.1.1.10xfc10Standard query (0)nobawi.dvrdns.orgA (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:55.077337027 CEST192.168.0.801.1.1.10x9167Standard query (0)nobawi.dvrdns.orgA (IP address)IN (0x0001)
                                Sep 17, 2020 09:18:02.650759935 CEST192.168.0.801.1.1.10x4bb2Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                Sep 17, 2020 09:18:03.276026011 CEST192.168.0.801.1.1.10x73eaStandard query (0)eaup2w.sn.files.1drv.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Sep 17, 2020 09:17:29.695420980 CEST1.1.1.1192.168.0.800x196bNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                Sep 17, 2020 09:17:30.530215025 CEST1.1.1.1192.168.0.800x5ee6No error (0)eaup2w.sn.files.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                Sep 17, 2020 09:17:35.647110939 CEST1.1.1.1192.168.0.800x56aaNo error (0)nobawi.dvrdns.org194.5.97.46A (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:45.373910904 CEST1.1.1.1192.168.0.800x4529No error (0)nobawi.dvrdns.org194.5.97.46A (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:48.767934084 CEST1.1.1.1192.168.0.800x4adbNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                Sep 17, 2020 09:17:49.516685009 CEST1.1.1.1192.168.0.800x83c6No error (0)eaup2w.sn.files.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                Sep 17, 2020 09:17:49.824954987 CEST1.1.1.1192.168.0.800xfc10No error (0)nobawi.dvrdns.org194.5.97.46A (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:55.087174892 CEST1.1.1.1192.168.0.800x9167No error (0)nobawi.dvrdns.org194.5.97.46A (IP address)IN (0x0001)
                                Sep 17, 2020 09:18:02.655469894 CEST1.1.1.1192.168.0.800x4bb2No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                Sep 17, 2020 09:18:03.287719965 CEST1.1.1.1192.168.0.800x73eaNo error (0)eaup2w.sn.files.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)

                                Code Manipulations

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: New Inquiry 903838737777721102029393003938.exe PID: 6652 Parent PID: 3968

                                General

                                Start time:09:15:53
                                Start date:17/09/2020
                                Path:C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe'
                                Imagebase:0x400000
                                File size:77824 bytes
                                MD5 hash:01A54F73856CFB74A3BBBA47BCEC227B
                                Has administrator privileges:true
                                Programmed in:Visual Basic
                                Reputation:low

                                Chronological Activities

                                Analysis Process: RegAsm.exe PID: 1576 Parent PID: 6652

                                General

                                Start time:09:17:25
                                Start date:17/09/2020
                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                Wow64 process (32bit):false
                                Commandline:'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe'
                                Imagebase:0xb0000
                                File size:53248 bytes
                                MD5 hash:6AFAE79556E125202DCF1D3FE74A3638
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low

                                Chronological Activities

                                Analysis Process: RegAsm.exe PID: 1440 Parent PID: 6652

                                General

                                Start time:09:17:25
                                Start date:17/09/2020
                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe'
                                Imagebase:0xae0000
                                File size:53248 bytes
                                MD5 hash:6AFAE79556E125202DCF1D3FE74A3638
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_LuminosityLink, Description: Yara detected LuminosityLink RAT, Source: 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 1584 Parent PID: 1440

                                General

                                Start time:09:17:26
                                Start date:17/09/2020
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6b6340000
                                File size:822272 bytes
                                MD5 hash:C221707E5CE93515AC87507E19181E2A
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: anibtcent.exe.exe PID: 4188 Parent PID: 1440

                                General

                                Start time:09:17:34
                                Start date:17/09/2020
                                Path:C:\ProgramData\782401\anibtcent.exe.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\ProgramData\782401\anibtcent.exe.exe'
                                Imagebase:0x850000
                                File size:53248 bytes
                                MD5 hash:6AFAE79556E125202DCF1D3FE74A3638
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Antivirus matches:
                                • Detection: 0%, Virustotal, Browse
                                • Detection: 0%, Metadefender, Browse
                                • Detection: 0%, ReversingLabs
                                Reputation:low

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 1500 Parent PID: 4188

                                General

                                Start time:09:17:35
                                Start date:17/09/2020
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6b6340000
                                File size:822272 bytes
                                MD5 hash:C221707E5CE93515AC87507E19181E2A
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: demisphereklediskene.exe PID: 1812 Parent PID: 4560

                                General

                                Start time:09:17:39
                                Start date:17/09/2020
                                Path:C:\Users\user\Hustankesgy3\demisphereklediskene.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Hustankesgy3\demisphereklediskene.exe'
                                Imagebase:0x400000
                                File size:77824 bytes
                                MD5 hash:01A54F73856CFB74A3BBBA47BCEC227B
                                Has administrator privileges:false
                                Programmed in:Visual Basic
                                Antivirus matches:
                                • Detection: 21%, Virustotal, Browse
                                • Detection: 19%, ReversingLabs
                                Reputation:low

                                Chronological Activities

                                Analysis Process: RegAsm.exe PID: 4328 Parent PID: 1812

                                General

                                Start time:09:17:43
                                Start date:17/09/2020
                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Hustankesgy3\demisphereklediskene.exe'
                                Imagebase:0x860000
                                File size:53248 bytes
                                MD5 hash:6AFAE79556E125202DCF1D3FE74A3638
                                Has administrator privileges:false
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 4084 Parent PID: 4328

                                General

                                Start time:09:17:43
                                Start date:17/09/2020
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6b6340000
                                File size:822272 bytes
                                MD5 hash:C221707E5CE93515AC87507E19181E2A
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: RegAsm.exe PID: 2652 Parent PID: 4560

                                General

                                Start time:09:17:47
                                Start date:17/09/2020
                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe'
                                Imagebase:0x330000
                                File size:53248 bytes
                                MD5 hash:6AFAE79556E125202DCF1D3FE74A3638
                                Has administrator privileges:false
                                Programmed in:.Net C# or VB.NET
                                Reputation:low

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 5952 Parent PID: 2652

                                General

                                Start time:09:17:48
                                Start date:17/09/2020
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6b6340000
                                File size:822272 bytes
                                MD5 hash:C221707E5CE93515AC87507E19181E2A
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: demisphereklediskene.exe PID: 2140 Parent PID: 4560

                                General

                                Start time:09:17:55
                                Start date:17/09/2020
                                Path:C:\Users\user\Hustankesgy3\demisphereklediskene.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Hustankesgy3\demisphereklediskene.exe'
                                Imagebase:0x400000
                                File size:77824 bytes
                                MD5 hash:01A54F73856CFB74A3BBBA47BCEC227B
                                Has administrator privileges:false
                                Programmed in:Visual Basic
                                Reputation:low

                                Chronological Activities

                                Disassembly

                                Code Analysis

                                Reset < >