Loading ...

Play interactive tourEdit tour

Analysis Report PP02267.exe

Overview

General Information

Sample Name:PP02267.exe
Analysis ID:310974
MD5:81a4e7b242a1e38a0023dca07d814f84
SHA1:569f9c9caf3e5000cad21caaecd8a676fa4a5a5a
SHA256:27901356eb5538b402d917cbae797df863ec26c24f8d3126d0aa90ddd3cc7707
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • PP02267.exe (PID: 2412 cmdline: 'C:\Users\user\Desktop\PP02267.exe' MD5: 81A4E7B242A1E38A0023DCA07D814F84)
    • RegAsm.exe (PID: 5660 cmdline: 'C:\Users\user\Desktop\PP02267.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.486295836.000000001DC61000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000010.00000002.486295836.000000001DC61000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000010.00000002.478852605.00000000011A0000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: RegAsm.exe PID: 5660JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 5660JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: PP02267.exeReversingLabs: Detection: 10%
            Source: PP02267.exeReversingLabs: Detection: 10%
            Source: Joe Sandbox ViewIP Address: 216.58.208.129 216.58.208.129
            Source: Joe Sandbox ViewIP Address: 216.58.208.129 216.58.208.129
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS traffic detected: queries for: doc-00-8s-docs.googleusercontent.com
            Source: unknownDNS traffic detected: queries for: doc-00-8s-docs.googleusercontent.com
            Source: RegAsm.exe, 00000010.00000002.486295836.000000001DC61000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000010.00000002.486295836.000000001DC61000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000010.00000002.486295836.000000001DC61000.00000004.00000001.sdmpString found in binary or memory: http://fjXLnv.com
            Source: RegAsm.exe, 00000010.00000002.486295836.000000001DC61000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
            Source: RegAsm.exe, 00000010.00000002.486295836.000000001DC61000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
            Source: RegAsm.exe, 00000010.00000002.478852605.00000000011A0000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1sNHtUwNtzuaGHtUf_6j2n1nIZCbRriMb
            Source: RegAsm.exe, 00000010.00000002.486295836.000000001DC61000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: RegAsm.exe, 00000010.00000002.486295836.000000001DC61000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000010.00000002.486295836.000000001DC61000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000010.00000002.486295836.000000001DC61000.00000004.00000001.sdmpString found in binary or memory: http://fjXLnv.com
            Source: RegAsm.exe, 00000010.00000002.486295836.000000001DC61000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
            Source: RegAsm.exe, 00000010.00000002.486295836.000000001DC61000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
            Source: RegAsm.exe, 00000010.00000002.478852605.00000000011A0000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1sNHtUwNtzuaGHtUf_6j2n1nIZCbRriMb
            Source: RegAsm.exe, 00000010.00000002.486295836.000000001DC61000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: C:\Users\user\Desktop\PP02267.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\PP02267.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F5380 NtSetContextThread,0_2_020F5380
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F540A NtSetContextThread,0_2_020F540A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F543A NtSetContextThread,0_2_020F543A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F5632 NtSetContextThread,0_2_020F5632
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F564A NtSetContextThread,0_2_020F564A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F565E NtSetContextThread,0_2_020F565E
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F5457 NtSetContextThread,0_2_020F5457
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F2264 NtWriteVirtualMemory,0_2_020F2264
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F047B NtSetInformationThread,0_2_020F047B
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F5476 NtSetContextThread,0_2_020F5476
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F548B NtSetContextThread,0_2_020F548B
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F54BA NtSetContextThread,0_2_020F54BA
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F54CF NtSetContextThread,0_2_020F54CF
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F54EA NtSetContextThread,0_2_020F54EA
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F5501 NtSetContextThread,0_2_020F5501
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F551A NtSetContextThread,0_2_020F551A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F555E NtSetContextThread,0_2_020F555E
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F5582 NtSetContextThread,0_2_020F5582
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F539A NtSetContextThread,0_2_020F539A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F559A NtSetContextThread,0_2_020F559A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F53AF NtSetContextThread,0_2_020F53AF
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F55AE NtSetContextThread,0_2_020F55AE
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F53C7 NtSetContextThread,0_2_020F53C7
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F55C6 NtSetContextThread,0_2_020F55C6
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F55E3 NtSetContextThread,0_2_020F55E3
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F55FF NtSetContextThread,0_2_020F55FF
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F53F6 NtSetContextThread,0_2_020F53F6
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F5380 NtSetContextThread,0_2_020F5380
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F540A NtSetContextThread,0_2_020F540A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F543A NtSetContextThread,0_2_020F543A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F5632 NtSetContextThread,0_2_020F5632
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F564A NtSetContextThread,0_2_020F564A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F565E NtSetContextThread,0_2_020F565E
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F5457 NtSetContextThread,0_2_020F5457
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F2264 NtWriteVirtualMemory,0_2_020F2264
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F047B NtSetInformationThread,0_2_020F047B
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F5476 NtSetContextThread,0_2_020F5476
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F548B NtSetContextThread,0_2_020F548B
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F54BA NtSetContextThread,0_2_020F54BA
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F54CF NtSetContextThread,0_2_020F54CF
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F54EA NtSetContextThread,0_2_020F54EA
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F5501 NtSetContextThread,0_2_020F5501
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F551A NtSetContextThread,0_2_020F551A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F555E NtSetContextThread,0_2_020F555E
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F5582 NtSetContextThread,0_2_020F5582
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F539A NtSetContextThread,0_2_020F539A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F559A NtSetContextThread,0_2_020F559A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F53AF NtSetContextThread,0_2_020F53AF
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F55AE NtSetContextThread,0_2_020F55AE
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F53C7 NtSetContextThread,0_2_020F53C7
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F55C6 NtSetContextThread,0_2_020F55C6
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F55E3 NtSetContextThread,0_2_020F55E3
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F55FF NtSetContextThread,0_2_020F55FF
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F53F6 NtSetContextThread,0_2_020F53F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A0524 NtSetInformationThread,LdrInitializeThunk,LoadLibraryA,16_2_011A0524
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A0364 EnumWindows,NtSetInformationThread,16_2_011A0364
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A5380 NtQueryInformationProcess,16_2_011A5380
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A4FE2 NtProtectVirtualMemory,16_2_011A4FE2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A4AF4 NtSetInformationThread,16_2_011A4AF4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A551A NtQueryInformationProcess,16_2_011A551A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A5501 NtQueryInformationProcess,16_2_011A5501
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A555E NtQueryInformationProcess,16_2_011A555E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A559A NtQueryInformationProcess,16_2_011A559A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A5582 NtQueryInformationProcess,16_2_011A5582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A55AE NtQueryInformationProcess,16_2_011A55AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A55C6 NtQueryInformationProcess,16_2_011A55C6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A55FF NtQueryInformationProcess,16_2_011A55FF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A55E3 NtQueryInformationProcess,16_2_011A55E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A0412 NtSetInformationThread,16_2_011A0412
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A540A NtQueryInformationProcess,16_2_011A540A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A543A NtQueryInformationProcess,16_2_011A543A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A4827 NtSetInformationThread,16_2_011A4827
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A5457 NtQueryInformationProcess,16_2_011A5457
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A044A NtSetInformationThread,16_2_011A044A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A5476 NtQueryInformationProcess,16_2_011A5476
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A548B NtQueryInformationProcess,16_2_011A548B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A0486 NtSetInformationThread,16_2_011A0486
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A54BA NtQueryInformationProcess,16_2_011A54BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A54CF NtQueryInformationProcess,16_2_011A54CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A54EA NtQueryInformationProcess,16_2_011A54EA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A539A NtQueryInformationProcess,16_2_011A539A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A03B3 NtSetInformationThread,16_2_011A03B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A03B1 NtSetInformationThread,16_2_011A03B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A4FA9 NtProtectVirtualMemory,16_2_011A4FA9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A53AF NtQueryInformationProcess,16_2_011A53AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A03DB NtSetInformationThread,16_2_011A03DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A4FCA NtProtectVirtualMemory,16_2_011A4FCA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A4FC7 NtSetInformationThread,16_2_011A4FC7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A53C7 NtQueryInformationProcess,16_2_011A53C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A53F6 NtQueryInformationProcess,16_2_011A53F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A5632 NtQueryInformationProcess,16_2_011A5632
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A565E NtQueryInformationProcess,16_2_011A565E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A564A NtQueryInformationProcess,16_2_011A564A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A0E4E NtSetInformationThread,16_2_011A0E4E
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030480_2_00403048
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402C4B0_2_00402C4B
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032530_2_00403253
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402A560_2_00402A56
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_0040325B0_2_0040325B
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030620_2_00403062
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402A640_2_00402A64
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402E690_2_00402E69
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402C700_2_00402C70
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030710_2_00403071
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032770_2_00403277
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402E7C0_2_00402E7C
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402E0D0_2_00402E0D
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402C130_2_00402C13
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032160_2_00403216
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402E170_2_00402E17
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402C220_2_00402C22
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032280_2_00403228
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032C90_2_004032C9
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030CE0_2_004030CE
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402AD60_2_00402AD6
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402CDA0_2_00402CDA
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032EB0_2_004032EB
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402CF00_2_00402CF0
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004028F00_2_004028F0
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030F70_2_004030F7
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402EFB0_2_00402EFB
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402A800_2_00402A80
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030800_2_00403080
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402E850_2_00402E85
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402C8A0_2_00402C8A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_0040328A0_2_0040328A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032910_2_00403291
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030970_2_00403097
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_0040309D0_2_0040309D
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402CAB0_2_00402CAB
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402AAE0_2_00402AAE
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032B70_2_004032B7
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030B90_2_004030B9
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402EBB0_2_00402EBB
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402D410_2_00402D41
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402F490_2_00402F49
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_0040294B0_2_0040294B
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029580_2_00402958
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004031580_2_00403158
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004031630_2_00403163
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402D6F0_2_00402D6F
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402B710_2_00402B71
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402B770_2_00402B77
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004031010_2_00403101
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402B070_2_00402B07
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029070_2_00402907
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004033120_2_00403312
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402D170_2_00402D17
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029250_2_00402925
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004033280_2_00403328
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402B350_2_00402B35
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004031C40_2_004031C4
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029C80_2_004029C8
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402DCE0_2_00402DCE
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029D40_2_004029D4
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402FD70_2_00402FD7
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029DA0_2_004029DA
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402BE10_2_00402BE1
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029EC0_2_004029EC
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402DF00_2_00402DF0
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402FF90_2_00402FF9
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004031FC0_2_004031FC
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402B870_2_00402B87
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029910_2_00402991
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402F970_2_00402F97
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402B9A0_2_00402B9A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_0040299C0_2_0040299C
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402DA10_2_00402DA1
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402BA80_2_00402BA8
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402FA90_2_00402FA9
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004031AA0_2_004031AA
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402DB00_2_00402DB0
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402BB10_2_00402BB1
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030480_2_00403048
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402C4B0_2_00402C4B
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032530_2_00403253
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402A560_2_00402A56
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_0040325B0_2_0040325B
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030620_2_00403062
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402A640_2_00402A64
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402E690_2_00402E69
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402C700_2_00402C70
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030710_2_00403071
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032770_2_00403277
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402E7C0_2_00402E7C
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402E0D0_2_00402E0D
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402C130_2_00402C13
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032160_2_00403216
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402E170_2_00402E17
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402C220_2_00402C22
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032280_2_00403228
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032C90_2_004032C9
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030CE0_2_004030CE
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402AD60_2_00402AD6
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402CDA0_2_00402CDA
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032EB0_2_004032EB
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402CF00_2_00402CF0
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004028F00_2_004028F0
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030F70_2_004030F7
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402EFB0_2_00402EFB
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402A800_2_00402A80
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030800_2_00403080
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402E850_2_00402E85
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402C8A0_2_00402C8A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_0040328A0_2_0040328A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032910_2_00403291
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030970_2_00403097
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_0040309D0_2_0040309D
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402CAB0_2_00402CAB
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402AAE0_2_00402AAE
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004032B70_2_004032B7
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004030B90_2_004030B9
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402EBB0_2_00402EBB
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402D410_2_00402D41
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402F490_2_00402F49
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_0040294B0_2_0040294B
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029580_2_00402958
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004031580_2_00403158
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004031630_2_00403163
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402D6F0_2_00402D6F
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402B710_2_00402B71
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402B770_2_00402B77
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004031010_2_00403101
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402B070_2_00402B07
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029070_2_00402907
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004033120_2_00403312
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402D170_2_00402D17
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029250_2_00402925
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004033280_2_00403328
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402B350_2_00402B35
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004031C40_2_004031C4
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029C80_2_004029C8
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402DCE0_2_00402DCE
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029D40_2_004029D4
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402FD70_2_00402FD7
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029DA0_2_004029DA
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402BE10_2_00402BE1
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029EC0_2_004029EC
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402DF00_2_00402DF0
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402FF90_2_00402FF9
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004031FC0_2_004031FC
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402B870_2_00402B87
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004029910_2_00402991
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402F970_2_00402F97
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402B9A0_2_00402B9A
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_0040299C0_2_0040299C
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402DA10_2_00402DA1
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402BA80_2_00402BA8
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402FA90_2_00402FA9
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004031AA0_2_004031AA
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402DB00_2_00402DB0
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00402BB10_2_00402BB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_1DB4482816_2_1DB44828
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_1DB4D6C116_2_1DB4D6C1
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\LFSRb\LFSRb.exe FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\LFSRb\LFSRb.exe FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
            Source: PP02267.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: PP02267.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: PP02267.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: PP02267.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: PP02267.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: PP02267.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: PP02267.exe, 00000000.00000002.431743065.000000000040D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMELLIVOR.exe vs PP02267.exe
            Source: PP02267.exe, 00000000.00000002.432154698.00000000020C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PP02267.exe
            Source: PP02267.exeBinary or memory string: OriginalFilenameMELLIVOR.exe vs PP02267.exe
            Source: PP02267.exe, 00000000.00000002.431743065.000000000040D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMELLIVOR.exe vs PP02267.exe
            Source: PP02267.exe, 00000000.00000002.432154698.00000000020C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PP02267.exe
            Source: PP02267.exeBinary or memory string: OriginalFilenameMELLIVOR.exe vs PP02267.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@4/1@1/1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\LFSRbJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\LFSRbJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_01
            Source: PP02267.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: PP02267.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PP02267.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\PP02267.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\PP02267.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\PP02267.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: PP02267.exeReversingLabs: Detection: 10%
            Source: PP02267.exeReversingLabs: Detection: 10%
            Source: unknownProcess created: C:\Users\user\Desktop\PP02267.exe 'C:\Users\user\Desktop\PP02267.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PP02267.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PP02267.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PP02267.exe' Jump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\PP02267.exe 'C:\Users\user\Desktop\PP02267.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PP02267.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PP02267.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PP02267.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000010.00000002.478734325.00000000010A4000.00000004.00000001.sdmp, LFSRb.exe.16.dr
            Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000010.00000002.478734325.00000000010A4000.00000004.00000001.sdmp, LFSRb.exe.16.dr
            Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000010.00000002.478734325.00000000010A4000.00000004.00000001.sdmp, LFSRb.exe.16.dr
            Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000010.00000002.478734325.00000000010A4000.00000004.00000001.sdmp, LFSRb.exe.16.dr

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000010.00000002.478852605.00000000011A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5660, type: MEMORY
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00405642 push FFFFFF84h; iretd 0_2_00405679
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00407EFC push edx; iretd 0_2_00407EFD
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00409BF4 push esi; ret 0_2_00409F15
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004041A4 push ebx; ret 0_2_004041AF
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F0E08 push edi; iretd 0_2_020F0E09
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F1648 push ecx; iretd 0_2_020F1649
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F1D74 push edx; iretd 0_2_020F1D75
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F47B4 push edx; iretd 0_2_020F47B5
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00405642 push FFFFFF84h; iretd 0_2_00405679
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00407EFC push edx; iretd 0_2_00407EFD
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_00409BF4 push esi; ret 0_2_00409F15
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_004041A4 push ebx; ret 0_2_004041AF
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F0E08 push edi; iretd 0_2_020F0E09
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F1648 push ecx; iretd 0_2_020F1649
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F1D74 push edx; iretd 0_2_020F1D75
            Source: C:\Users\user\Desktop\PP02267.exeCode function: 0_2_020F47B4 push edx; iretd 0_2_020F47B5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A31B2 pushfd ; retn F2E8h16_2_011A3194
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\LFSRb\LFSRb.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\LFSRb\LFSRb.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run LFSRbJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run LFSRbJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run LFSRbJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run LFSRbJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (31).png
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (31).png
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\LFSRb\LFSRb.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\LFSRb\LFSRb.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\PP02267.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PP02267.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\PP02267.exeRDTSC instruction interceptor: First address: 00000000020F27C0 second address: 00000000020F27C0 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FD8A8F61D58h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 test edx, ebx 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007FD8A8F61D3Ch 0x0000002a test eax, 2E6D3265h 0x0000002f push ecx 0x00000030 call 00007FD8A8F61D81h 0x00000035 call 00007FD8A8F61D6Ah 0x0000003a lfence 0x0000003d mov edx, dword ptr [7FFE0014h] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\PP02267.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\PP02267.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\Desktop\PP02267.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\PP02267.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: RegAsm.exe, 00000010.00000002.478852605.00000000011A0000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Source: RegAsm.exe, 00000010.00000002.478852605.00000000011A0000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\PP02267.exeRDTSC instruction interceptor: First address: 00000000020F27C0 second address: 00000000020F27C0 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FD8A8F61D58h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 test edx, ebx 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007FD8A8F61D3Ch 0x0000002a test eax, 2E6D3265h 0x0000002f push ecx 0x00000030 call 00007FD8A8F61D81h 0x00000035 call 00007FD8A8F61D6Ah 0x0000003a lfence 0x0000003d mov edx, dword ptr [7FFE0014h] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc
            Source: C:\Users\user\Desktop\PP02267.exeRDTSC instruction interceptor: First address: 00000000020F2938 second address: 00000000020F2938 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FD8A8386741h 0x0000001f popad 0x00000020 call 00007FD8A8384918h 0x00000025 lfence 0x00000028 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 00000000011A2938 second address: 00000000011A2938 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FD8A8F63BA1h 0x0000001f popad 0x00000020 call 00007FD8A8F61D78h 0x00000025 lfence 0x00000028 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A0524 rdtsc 16_2_011A0524
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A0524 rdtsc 16_2_011A0524
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5884Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5884Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: RegAsm.exe, 00000010.00000002.478852605.00000000011A0000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: RegAsm.exe, 00000010.00000002.478852605.00000000011A0000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A0524 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,011A043D,00000000,00000000,0000000016_2_011A0524
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A0524 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,011A043D,00000000,00000000,0000000016_2_011A0524
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\PP02267.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\PP02267.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\PP02267.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\PP02267.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A0524 rdtsc 16_2_011A0524
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A0524 rdtsc 16_2_011A0524
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A0524 NtSetInformationThread,LdrInitializeThunk,LoadLibraryA,16_2_011A0524
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A0524 NtSetInformationThread,LdrInitializeThunk,LoadLibraryA,16_2_011A0524
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A19ED mov eax, dword ptr fs:[00000030h]16_2_011A19ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A4AF4 mov eax, dword ptr fs:[00000030h]16_2_011A4AF4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A19C6 mov eax, dword ptr fs:[00000030h]16_2_011A19C6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A19FA mov eax, dword ptr fs:[00000030h]16_2_011A19FA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A170F mov eax, dword ptr fs:[00000030h]16_2_011A170F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A3F06 mov eax, dword ptr fs:[00000030h]16_2_011A3F06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A4B22 mov eax, dword ptr fs:[00000030h]16_2_011A4B22
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A1751 mov eax, dword ptr fs:[00000030h]16_2_011A1751
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A439D mov eax, dword ptr fs:[00000030h]16_2_011A439D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A4B82 mov eax, dword ptr fs:[00000030h]16_2_011A4B82
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A43AE mov eax, dword ptr fs:[00000030h]16_2_011A43AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A124D mov eax, dword ptr fs:[00000030h]16_2_011A124D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A2675 mov eax, dword ptr fs:[00000030h]16_2_011A2675
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A3EDF mov eax, dword ptr fs:[00000030h]16_2_011A3EDF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A3EDD mov eax, dword ptr fs:[00000030h]16_2_011A3EDD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A19ED mov eax, dword ptr fs:[00000030h]16_2_011A19ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A4AF4 mov eax, dword ptr fs:[00000030h]16_2_011A4AF4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A19C6 mov eax, dword ptr fs:[00000030h]16_2_011A19C6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A19FA mov eax, dword ptr fs:[00000030h]16_2_011A19FA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A170F mov eax, dword ptr fs:[00000030h]16_2_011A170F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A3F06 mov eax, dword ptr fs:[00000030h]16_2_011A3F06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A4B22 mov eax, dword ptr fs:[00000030h]16_2_011A4B22
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A1751 mov eax, dword ptr fs:[00000030h]16_2_011A1751
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A439D mov eax, dword ptr fs:[00000030h]16_2_011A439D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A4B82 mov eax, dword ptr fs:[00000030h]16_2_011A4B82
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A43AE mov eax, dword ptr fs:[00000030h]16_2_011A43AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A124D mov eax, dword ptr fs:[00000030h]16_2_011A124D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A2675 mov eax, dword ptr fs:[00000030h]16_2_011A2675
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A3EDF mov eax, dword ptr fs:[00000030h]16_2_011A3EDF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_011A3EDD mov eax, dword ptr fs:[00000030h]16_2_011A3EDD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            bar