Loading ...

Play interactive tourEdit tour

Analysis Report 8220198_Inv0ice_receipt.exe

Overview

General Information

Sample Name:8220198_Inv0ice_receipt.exe
Analysis ID:297251
MD5:ce290eedfb41ce60c3f05317560b1c91
SHA1:5b272194a80285e477cf119e32c27dd2a380c58a
SHA256:4bbab96c26202aeb0698b83cfce1f0dcb99582b2d3ebfa1de170bfa283d0cde4
Tags:exeGuLoader

Most interesting Screenshot:

Detection

NanoCore GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 8220198_Inv0ice_receipt.exe (PID: 4564 cmdline: 'C:\Users\user\Desktop\8220198_Inv0ice_receipt.exe' MD5: CE290EEDFB41CE60C3F05317560B1C91)
    • RegAsm.exe (PID: 5072 cmdline: 'C:\Users\user\Desktop\8220198_Inv0ice_receipt.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • filename1.exe (PID: 2860 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: CE290EEDFB41CE60C3F05317560B1C91)
    • RegAsm.exe (PID: 5536 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 1376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • filename1.exe (PID: 4632 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: CE290EEDFB41CE60C3F05317560B1C91)
    • RegAsm.exe (PID: 3400 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • RegAsm.exe (PID: 4484 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • RegAsm.exe (PID: 5916 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: RegAsm.exe PID: 5916JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: RegAsm.exe PID: 5536JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: RegAsm.exe PID: 5072JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 5072, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: 8220198_Inv0ice_receipt.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\subfolder1\filename1.exeAvira: detection malicious, Label: HEUR/AGEN.1130115
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\subfolder1\filename1.exeReversingLabs: Detection: 14%
        Multi AV Scanner detection for submitted fileShow sources
        Source: 8220198_Inv0ice_receipt.exeReversingLabs: Detection: 14%

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49732 -> 185.165.153.111:6700
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: octnew.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.4:49732 -> 185.165.153.111:6700
        Source: Joe Sandbox ViewIP Address: 185.165.153.111 185.165.153.111
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownDNS traffic detected: queries for: proqualityodontologia.com.br
        Source: RegAsm.exeString found in binary or memory: https://proqualityodontologia.com.br/man/octnew_TIZHKGZnk205.bin
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
        Source: 8220198_Inv0ice_receipt.exe, 00000000.00000002.773505716.000000000070A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        System Summary:

        barindex
        Potential malicious icon foundShow sources
        Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeCode function: 0_2_0221076F NtResumeThread,0_2_0221076F
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeCode function: 0_2_02213A38 NtResumeThread,0_2_02213A38
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeCode function: 0_2_02213A14 NtResumeThread,0_2_02213A14
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeCode function: 0_2_02213A83 NtResumeThread,0_2_02213A83
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeCode function: 0_2_02213AD8 NtResumeThread,0_2_02213AD8
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeCode function: 0_2_02213B93 NtResumeThread,0_2_02213B93
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA36B8 NtProtectVirtualMemory,2_2_00FA36B8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA02C5 NtSetInformationThread,2_2_00FA02C5
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA3689 NtProtectVirtualMemory,2_2_00FA3689
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA0307 NtSetInformationThread,2_2_00FA0307
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A73A14 NtResumeThread,4_2_02A73A14
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A73A83 NtResumeThread,4_2_02A73A83
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A716DF NtWriteVirtualMemory,4_2_02A716DF
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A73AD8 NtResumeThread,4_2_02A73AD8
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A73A38 NtResumeThread,4_2_02A73A38
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A71661 NtWriteVirtualMemory,4_2_02A71661
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A73B93 NtResumeThread,4_2_02A73B93
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_02A43A14 NtResumeThread,5_2_02A43A14
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_02A43A83 NtResumeThread,5_2_02A43A83
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_02A43B93 NtResumeThread,5_2_02A43B93
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_02A43AD8 NtResumeThread,5_2_02A43AD8
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 5_2_02A43A38 NtResumeThread,5_2_02A43A38
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA1DD52_2_00FA1DD5
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1D9F7ABE2_2_1D9F7ABE
        Source: 8220198_Inv0ice_receipt.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: filename1.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: 8220198_Inv0ice_receipt.exe, 00000000.00000000.644404589.0000000000409000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGUARDSMANUNWROK.exe vs 8220198_Inv0ice_receipt.exe
        Source: 8220198_Inv0ice_receipt.exeBinary or memory string: OriginalFilenameGUARDSMANUNWROK.exe vs 8220198_Inv0ice_receipt.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@16/5@2/2
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\subfolder1Jump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1376:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{8336edf7-3933-4980-b554-a310b4295c84}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_01
        Source: 8220198_Inv0ice_receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: 8220198_Inv0ice_receipt.exeReversingLabs: Detection: 14%
        Source: unknownProcess created: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exe 'C:\Users\user\Desktop\8220198_Inv0ice_receipt.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\8220198_Inv0ice_receipt.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\8220198_Inv0ice_receipt.exe' Jump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5916, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5536, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5072, type: MEMORY
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeCode function: 0_2_00404E7F push eax; iretd 0_2_00404E90
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeCode function: 0_2_00404903 push ss; iretd 0_2_00404904
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeCode function: 0_2_0221372B push edx; iretd 0_2_0221372C
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeCode function: 0_2_022137DB push edx; iretd 0_2_022137DC
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1D9F9D1C push eax; retf 2_2_1D9F9D2D
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1D9F9D30 pushad ; retf 2_2_1D9F9D31
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1D9F74B8 push ebp; ret 2_2_1D9F74B9
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1D9F74AC push ecx; ret 2_2_1D9F74AD
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A726A2 push ds; ret 4_2_02A726A3
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A726AE push ds; ret 4_2_02A726AF
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A72AB6 push ds; ret 4_2_02A72AB7
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A716BC push ds; ret 4_2_02A7166B
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A726BA push ds; ret 4_2_02A726BB
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A736BA push ds; ret 4_2_02A736BB
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A7268A push ds; ret 4_2_02A7268B
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A72A8A push ds; ret 4_2_02A72A8B
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A7328A push ds; ret 4_2_02A7328B
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A72696 push ds; ret 4_2_02A72697
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A72A96 push ds; ret 4_2_02A72A97
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A72AE6 push ds; ret 4_2_02A72AE7
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A732E4 push edx; ret 4_2_02A732EE
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A71AE2 push ds; ret 4_2_02A71AE3
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A71AEE push ds; ret 4_2_02A71AEF
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A702EA push ds; ret 4_2_02A702EB
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A736EA push ds; ret 4_2_02A736EB
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A702F6 push ds; ret 4_2_02A702F7
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A736F6 push ds; ret 4_2_02A736F7
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A71AFA push ds; ret 4_2_02A71AFB
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A72EFA push ds; ret 4_2_02A72EFB
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A702C6 push ds; ret 4_2_02A702C7
        Source: C:\Users\user\subfolder1\filename1.exeCode function: 4_2_02A726C6 push ds; ret 4_2_02A726C7
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\subfolder1\filename1.exeJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeRDTSC instruction interceptor: First address: 0000000002211A9C second address: 0000000002211A9C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F29D4DFAEE8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F29D4DFAED0h 0x00000028 push ecx 0x00000029 test bx, cx 0x0000002c call 00007F29D4DFAEF7h 0x00000031 call 00007F29D4DFAEFAh 0x00000036 lfence 0x00000039 mov edx, dword ptr [7FFE0014h] 0x0000003f lfence 0x00000042 ret 0x00000043 mov esi, edx 0x00000045 pushad 0x00000046 rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002A71A9C second address: 0000000002A71A9C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F29D4D57F48h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F29D4D57F30h 0x00000028 push ecx 0x00000029 test bx, cx 0x0000002c call 00007F29D4D57F57h 0x00000031 call 00007F29D4D57F5Ah 0x00000036 lfence 0x00000039 mov edx, dword ptr [7FFE0014h] 0x0000003f lfence 0x00000042 ret 0x00000043 mov esi, edx 0x00000045 pushad 0x00000046 rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002A41A9C second address: 0000000002A41A9C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F29D4D57F48h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F29D4D57F30h 0x00000028 push ecx 0x00000029 test bx, cx 0x0000002c call 00007F29D4D57F57h 0x00000031 call 00007F29D4D57F5Ah 0x00000036 lfence 0x00000039 mov edx, dword ptr [7FFE0014h] 0x0000003f lfence 0x00000042 ret 0x00000043 mov esi, edx 0x00000045 pushad 0x00000046 rdtsc
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: RegAsm.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeRDTSC instruction interceptor: First address: 0000000002211A9C second address: 0000000002211A9C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F29D4DFAEE8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F29D4DFAED0h 0x00000028 push ecx 0x00000029 test bx, cx 0x0000002c call 00007F29D4DFAEF7h 0x00000031 call 00007F29D4DFAEFAh 0x00000036 lfence 0x00000039 mov edx, dword ptr [7FFE0014h] 0x0000003f lfence 0x00000042 ret 0x00000043 mov esi, edx 0x00000045 pushad 0x00000046 rdtsc
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeRDTSC instruction interceptor: First address: 0000000002211B9B second address: 0000000002211B9B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F29D4D594ADh 0x0000001f popad 0x00000020 call 00007F29D4D57F52h 0x00000025 lfence 0x00000028 rdtsc
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000FA1B9B second address: 0000000000FA1B9B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F29D4DFC44Dh 0x0000001f popad 0x00000020 call 00007F29D4DFAEF2h 0x00000025 lfence 0x00000028 rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002A71A9C second address: 0000000002A71A9C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F29D4D57F48h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F29D4D57F30h 0x00000028 push ecx 0x00000029 test bx, cx 0x0000002c call 00007F29D4D57F57h 0x00000031 call 00007F29D4D57F5Ah 0x00000036 lfence 0x00000039 mov edx, dword ptr [7FFE0014h] 0x0000003f lfence 0x00000042 ret 0x00000043 mov esi, edx 0x00000045 pushad 0x00000046 rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002A71B9B second address: 0000000002A71B9B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F29D4DFC44Dh 0x0000001f popad 0x00000020 call 00007F29D4DFAEF2h 0x00000025 lfence 0x00000028 rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002A41A9C second address: 0000000002A41A9C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F29D4D57F48h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F29D4D57F30h 0x00000028 push ecx 0x00000029 test bx, cx 0x0000002c call 00007F29D4D57F57h 0x00000031 call 00007F29D4D57F5Ah 0x00000036 lfence 0x00000039 mov edx, dword ptr [7FFE0014h] 0x0000003f lfence 0x00000042 ret 0x00000043 mov esi, edx 0x00000045 pushad 0x00000046 rdtsc
        Source: C:\Users\user\subfolder1\filename1.exeRDTSC instruction interceptor: First address: 0000000002A41B9B second address: 0000000002A41B9B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F29D4DFC44Dh 0x0000001f popad 0x00000020 call 00007F29D4DFAEF2h 0x00000025 lfence 0x00000028 rdtsc
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F31B9B second address: 0000000000F31B9B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F29D4D594ADh 0x0000001f popad 0x00000020 call 00007F29D4D57F52h 0x00000025 lfence 0x00000028 rdtsc
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA10A4 rdtsc 2_2_00FA10A4
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6136Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 900Thread sleep time: -220000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: 8220198_Inv0ice_receipt.exe, 00000000.00000002.782261669.000000000496A000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.961714615.0000000002DFA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
        Source: 8220198_Inv0ice_receipt.exe, 00000000.00000002.782261669.000000000496A000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.961714615.0000000002DFA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
        Source: RegAsm.exe, 00000002.00000002.961714615.0000000002DFA000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
        Source: 8220198_Inv0ice_receipt.exe, 00000000.00000002.782261669.000000000496A000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.961714615.0000000002DFA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
        Source: 8220198_Inv0ice_receipt.exe, 00000000.00000002.782261669.000000000496A000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.961714615.0000000002DFA000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
        Source: 8220198_Inv0ice_receipt.exe, 00000000.00000002.782261669.000000000496A000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.961714615.0000000002DFA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
        Source: RegAsm.exe, 00000002.00000002.961714615.0000000002DFA000.00000004.00000001.sdmpBinary or memory string: vmicvss
        Source: RegAsm.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: 8220198_Inv0ice_receipt.exe, 00000000.00000002.782261669.000000000496A000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.961714615.0000000002DFA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
        Source: 8220198_Inv0ice_receipt.exe, 00000000.00000002.782261669.000000000496A000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.961714615.0000000002DFA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
        Source: 8220198_Inv0ice_receipt.exe, 00000000.00000002.782261669.000000000496A000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.961714615.0000000002DFA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
        Source: RegAsm.exe, 00000002.00000002.961714615.0000000002DFA000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging:

        barindex
        Contains functionality to hide a thread from the debuggerShow sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA02C5 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,000000002_2_00FA02C5
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA10A4 rdtsc 2_2_00FA10A4
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA10A4 mov eax, dword ptr fs:[00000030h]2_2_00FA10A4
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA0EFF mov eax, dword ptr fs:[00000030h]2_2_00FA0EFF
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA104C mov eax, dword ptr fs:[00000030h]2_2_00FA104C
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA2DC0 mov eax, dword ptr fs:[00000030h]2_2_00FA2DC0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA19A0 mov eax, dword ptr fs:[00000030h]2_2_00FA19A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA2DA7 mov eax, dword ptr fs:[00000030h]2_2_00FA2DA7
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA0B92 mov eax, dword ptr fs:[00000030h]2_2_00FA0B92
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA338B mov eax, dword ptr fs:[00000030h]2_2_00FA338B
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00FA2F84 mov eax, dword ptr fs:[00000030h]2_2_00FA2F84
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00F30EFF mov eax, dword ptr fs:[00000030h]6_2_00F30EFF
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00F310A4 mov eax, dword ptr fs:[00000030h]6_2_00F310A4
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00F3104C mov eax, dword ptr fs:[00000030h]6_2_00F3104C
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00F32DC0 mov eax, dword ptr fs:[00000030h]6_2_00F32DC0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00F319A0 mov eax, dword ptr fs:[00000030h]6_2_00F319A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00F32DA7 mov eax, dword ptr fs:[00000030h]6_2_00F32DA7
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00F30B92 mov eax, dword ptr fs:[00000030h]6_2_00F30B92
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00F32F84 mov eax, dword ptr fs:[00000030h]6_2_00F32F84
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00F3338B mov eax, dword ptr fs:[00000030h]6_2_00F3338B
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01100B92 mov eax, dword ptr fs:[00000030h]10_2_01100B92
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01102F84 mov eax, dword ptr fs:[00000030h]10_2_01102F84
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0110338B mov eax, dword ptr fs:[00000030h]10_2_0110338B
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_011019A0 mov eax, dword ptr fs:[00000030h]10_2_011019A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01102DA7 mov eax, dword ptr fs:[00000030h]10_2_01102DA7
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01102DC0 mov eax, dword ptr fs:[00000030h]10_2_01102DC0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0110104C mov eax, dword ptr fs:[00000030h]10_2_0110104C
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_011010A4 mov eax, dword ptr fs:[00000030h]10_2_011010A4
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01100EFF mov eax, dword ptr fs:[00000030h]10_2_01100EFF
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: FA0000Jump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: F30000Jump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 1100000Jump to behavior
        Source: C:\Users\user\Desktop\8220198_Inv0ice_receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\8220198_Inv0ice_receipt.exe' Jump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
        Source: C:\Users\user\subfolder1\filename1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
        Source: RegAsm.exe, 00000002.00000002.961654215.00000000019A0000.00000002.00000001.sdmp, filename1.exe, 00000004.00000002.918969956.0000000000D50000.00000002.00000001.sdmp, filename1.exe, 00000005.00000002.935284347.0000000000B40000.00000002.00000001.sdmp, RegAsm.exe, 00000006.00000002.913643069.00000000018A0000.00000002.00000001.sdmp, RegAsm.exe, 0000000A.00000002.913568213.00000000018F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: RegAsm.exe, 00000002.00000002.961654215.00000000019A0000.00000002.00000001.sdmp, filename1.exe, 00000004.00000002.918969956.0000000000D50000.00000002.00000001.sdmp, filename1.exe, 00000005.00000002.935284347.0000000000B40000.00000002.00000001.sdmp, RegAsm.exe, 00000006.00000002.913643069.00000000018A0000.00000002.00000001.sdmp, RegAsm.exe, 0000000A.00000002.913568213.00000000018F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: RegAsm.exe, 00000002.00000002.961654215.00000000019A0000.00000002.00000001.sdmp, filename1.exe, 00000004.00000002.918969956.0000000000D50000.00000002.00000001.sdmp, filename1.exe, 00000005.00000002.935284347.0000000000B40000.00000002.00000001.sdmp, RegAsm.exe, 00000006.00000002.913643069.00000000018A0000.00000002.00000001.sdmp, RegAsm.exe, 0000000A.00000002.913568213.00000000018F0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: RegAsm.exe, 00000002.00000002.961654215.00000000019A0000.00000002.00000001.sdmp, filename1.exe, 00000004.00000002.918969956.0000000000D50000.00000002.00000001.sdmp, filename1.exe, 00000005.00000002.935284347.0000000000B40000.00000002.00000001.sdmp, RegAsm.exe, 00000006.00000002.913643069.00000000018A0000.00000002.00000001.sdmp, RegAsm.exe, 0000000A.00000002.913568213.00000000018F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Registry Run Keys / Startup Folder1Process Injection112Masquerading1Input Capture1Security Software Discovery731Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobDLL Side-Loading1Registry Run Keys / Startup Folder1Virtualization/Sandbox Evasion23LSASS MemoryVirtualization/Sandbox Evasion23Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsSystem Information Discovery22SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi