Play interactive tour

Edit tour

Analysis Report Pagamento.exe

Overview

General Information

Sample Name:	Pagamento.exe
Analysis ID:	321143
MD5:	b8197d8952605ea1ed36ea874152a251
SHA1:	39a6ba55c24c9962174acb056d12b5cfa9eff646
SHA256:	c40b22f18e596d932438b11f44d1f78c3c217a5d96a31b884a72ff83994df03b
Tags:	AgentTesla
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: RegAsm connects to smtp port

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

Pagamento.exe (PID: 6380 cmdline: 'C:\Users\user\Desktop\Pagamento.exe' MD5: B8197D8952605EA1ED36EA874152A251)

RegAsm.exe (PID: 4652 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

RegAsm.exe (PID: 4680 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "n5HeQHK5F6L", "URL: ": "http://t3WjFakexhm5e07NJ.net", "To: ": "info.greatdeck@greatdeck.co", "ByHost: ": "mail.greatdeck.co:587", "Password: ": "Yzeo2nGT", "From: ": "info.greatdeck@greatdeck.co"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.340132480.00000000058A2000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.338315730.0000000004EE0000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.591883662.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.340576792.0000000006A49000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Pagamento.exe PID: 6380	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 4680	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 4680	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Pagamento.exe.58a0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: RegAsm connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 162.222.226.70, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 4680, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49751

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: RegAsm.exe.4680.2.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "n5HeQHK5F6L", "URL: ": "http://t3WjFakexhm5e07NJ.net", "To: ": "info.greatdeck@greatdeck.co", "ByHost: ": "mail.greatdeck.co:587", "Password: ": "Yzeo2nGT", "From: ": "info.greatdeck@greatdeck.co"}

Machine Learning detection for sample

Show sources

Source: Pagamento.exe

Joe Sandbox ML: detected

Source: 2.2.RegAsm.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49751 -> 162.222.226.70:587

Source: global traffic

TCP traffic: 192.168.2.6:49751 -> 162.222.226.70:587

Source: Joe Sandbox View

IP Address: 162.222.226.70 162.222.226.70

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: global traffic

TCP traffic: 192.168.2.6:49751 -> 162.222.226.70:587

Source: unknown

DNS traffic detected: queries for: g.msn.com

Source: RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: http://Bvcujr.com
Source: RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000002.00000002.593886268.0000000003269000.00000004.00000001.sdmp	String found in binary or memory: http://greatdeck.co
Source: RegAsm.exe, 00000002.00000002.593886268.0000000003269000.00000004.00000001.sdmp	String found in binary or memory: http://mail.greatdeck.co
Source: RegAsm.exe, 00000002.00000002.593820435.0000000003227000.00000004.00000001.sdmp	String found in binary or memory: http://t3WjFakexhm5e07NJ.net
Source: RegAsm.exe, 00000002.00000002.593820435.0000000003227000.00000004.00000001.sdmp	String found in binary or memory: http://t3WjFakexhm5e07NJ.netP
Source: RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: Pagamento.exe, 00000000.00000002.340132480.00000000058A2000.00000040.00000001.sdmp, RegAsm.exe, 00000002.00000002.591883662.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: Pagamento.exe, 00000000.00000002.340132480.00000000058A2000.00000040.00000001.sdmp, RegAsm.exe, 00000002.00000002.591883662.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Jump to behavior

Source: Pagamento.exe, 00000000.00000002.336548068.00000000015E0000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Source: C:\Users\user\Desktop\Pagamento.exe	Code function: 0_2_00E6EF01	0_2_00E6EF01
Source: C:\Users\user\Desktop\Pagamento.exe	Code function: 0_2_015D04F0	0_2_015D04F0
Source: C:\Users\user\Desktop\Pagamento.exe	Code function: 0_2_015D04E1	0_2_015D04E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00FFD8E0	2_2_00FFD8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00FF4430	2_2_00FF4430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00FF4EFA	2_2_00FF4EFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00FFC6D0	2_2_00FFC6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00FF8F38	2_2_00FF8F38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00FF99A0	2_2_00FF99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01006048	2_2_01006048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01003CDB	2_2_01003CDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0100EBA0	2_2_0100EBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01001200	2_2_01001200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0100CED0	2_2_0100CED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0100A50E	2_2_0100A50E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0100A510	2_2_0100A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0100E730	2_2_0100E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01006A30	2_2_01006A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02C95EA8	2_2_02C95EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02C95721	2_2_02C95721
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02C96490	2_2_02C96490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02C92410	2_2_02C92410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02C9F518	2_2_02C9F518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02C9D880	2_2_02C9D880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02C9F560	2_2_02C9F560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02D1E198	2_2_02D1E198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02D10F58	2_2_02D10F58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02D19710	2_2_02D19710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_059D7538	2_2_059D7538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_059D94F8	2_2_059D94F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_059D6C68	2_2_059D6C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_059DC9AF	2_2_059DC9AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_059D250B	2_2_059D250B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_059D2670	2_2_059D2670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_059D2660	2_2_059D2660

Source: Pagamento.exe, 00000000.00000002.340132480.00000000058A2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameKSNqaOSyHMGbBIJqcKRgjDNxy.exe4 vs Pagamento.exe
Source: Pagamento.exe, 00000000.00000002.336548068.00000000015E0000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Pagamento.exe
Source: Pagamento.exe, 00000000.00000002.337648660.0000000004811000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameQDUeTPNJmXbyMcBK.bounce.exe4 vs Pagamento.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: Pagamento.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@3/1

Source: C:\Users\user\Desktop\Pagamento.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Pagamento.exe.log

Jump to behavior

Source: Pagamento.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Pagamento.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Pagamento.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Pagamento.exe 'C:\Users\user\Desktop\Pagamento.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\Pagamento.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Pagamento.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Pagamento.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01003AA5 push esp; iretd	2_2_01003AA6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02C9B57F push edi; retn 0000h	2_2_02C9B581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_059D7F00 push 8BF04589h; iretd	2_2_059D7F8C

Source: initial sample

Static PE information: section name: .text entropy: 7.86500961586

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Pagamento.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Window / User API: threadDelayed 735

Jump to behavior

Source: C:\Users\user\Desktop\Pagamento.exe TID: 5756	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6444	Thread sleep count: 63 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6444	Thread sleep count: 735 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -56188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -55188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -76782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -49688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -49188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -71532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -69282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -45688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -44188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -65532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -42188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -41688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -60282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -59532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -57282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -56532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -54282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -51282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -32188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -30188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -31032s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -58688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -58500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -56500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -53188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -52688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -75141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -49594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -48094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -45500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -44094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -43906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -43406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -43188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -43000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -42094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -39500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -58500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -38000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -37500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -37094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -53250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -35094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -34000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -33594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -33094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -32688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -31594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -31188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -30688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -30094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -57874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -56782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -55688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -54594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -54374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -52374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -51000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -50594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -48594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -47874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -47000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -46000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -45094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -44594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -42688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -42500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -41782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -41594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -41094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -40688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Last function: Thread delayed

Source: RegAsm.exe, 00000002.00000002.597108036.0000000005EE0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000002.00000002.597108036.0000000005EE0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe, 00000002.00000002.597108036.0000000005EE0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000002.00000002.597285084.0000000005FDC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegAsm.exe, 00000002.00000002.597108036.0000000005EE0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00FF27B8 LdrInitializeThunk,

2_2_00FF27B8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Pagamento.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Pagamento.exe

Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write

Jump to behavior

Source: C:\Users\user\Desktop\Pagamento.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe			Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe			Jump to behavior

Source: RegAsm.exe, 00000002.00000002.592906286.0000000001710000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000002.00000002.592906286.0000000001710000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000002.00000002.592906286.0000000001710000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: RegAsm.exe, 00000002.00000002.592906286.0000000001710000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Pagamento.exe	Queries volume information: C:\Users\user\Desktop\Pagamento.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Pagamento.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.340132480.00000000058A2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338315730.0000000004EE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.591883662.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.340576792.0000000006A49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Pagamento.exe PID: 6380, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4680, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Pagamento.exe.58a0000.1.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4680, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.340132480.00000000058A2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338315730.0000000004EE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.591883662.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.340576792.0000000006A49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Pagamento.exe PID: 6380, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4680, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Pagamento.exe.58a0000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Process Injection112	Masquerading1	OS Credential Dumping2	Query Registry1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion13	Input Capture111	Security Software Discovery111	Remote Desktop Protocol	Input Capture111	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Credentials in Registry1	Virtualization/Sandbox Evasion13	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Process Discovery2	Distributed Component Object Model	Data from Local System2	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Application Window Discovery1	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing3	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	System Information Discovery114	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Pagamento.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File
0.2.Pagamento.exe.58a0000.1.unpack	100%	Avira	HEUR/AGEN.1138205		Download File

Domains

Source	Detection	Scanner	Label	Link
greatdeck.co	1%	Virustotal		Browse
mail.greatdeck.co	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://greatdeck.co	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://t3WjFakexhm5e07NJ.netP	0%	Avira URL Cloud	safe
http://mail.greatdeck.co	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://Bvcujr.com	0%	Avira URL Cloud	safe
http://t3WjFakexhm5e07NJ.net	0%	Avira URL Cloud	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
greatdeck.co	162.222.226.70	true	true	1%, Virustotal, Browse	unknown
g.msn.com	unknown	unknown	false		high
mail.greatdeck.co	unknown	unknown	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://greatdeck.co	RegAsm.exe, 00000002.00000002.593886268.0000000003269000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://t3WjFakexhm5e07NJ.netP	RegAsm.exe, 00000002.00000002.593820435.0000000003227000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.greatdeck.co	RegAsm.exe, 00000002.00000002.593886268.0000000003269000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot%telegramapi%/	Pagamento.exe, 00000000.00000002.340132480.00000000058A2000.00000040.00000001.sdmp, RegAsm.exe, 00000002.00000002.591883662.0000000000402000.00000040.00000001.sdmp	false		high
https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x	RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Pagamento.exe, 00000000.00000002.340132480.00000000058A2000.00000040.00000001.sdmp, RegAsm.exe, 00000002.00000002.591883662.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://Bvcujr.com	RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://t3WjFakexhm5e07NJ.net	RegAsm.exe, 00000002.00000002.593820435.0000000003227000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://api.ipify.orgGETMozilla/5.0	RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.222.226.70	unknown	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321143
Start date:	20.11.2020
Start time:	12:35:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Pagamento.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/1@3/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.3% (good quality ratio 0.3%) Quality average: 51% Quality standard deviation: 31.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 64 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 104.43.193.48, 51.104.139.180, 52.155.217.156, 20.54.26.129, 40.67.251.132, 95.101.22.134, 95.101.22.125, 52.142.114.176, 23.210.248.85 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, db5p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:36:28	API Interceptor	841x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
162.222.226.70	Zahlung.exe	Get hash	malicious	Browse
	Zahlung.exe	Get hash	malicious	Browse
	Lieferadresse.exe	Get hash	malicious	Browse
	Shipment address.exe	Get hash	malicious	Browse
	dettagli di pagamento.exe	Get hash	malicious	Browse
	Zahlungskopie.exe	Get hash	malicious	Browse
	SecuriteInfo.com.AdWare.Amonetize.arhz.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Siggen11.2816.22071.exe	Get hash	malicious	Browse
	https://spark.adobe.com/page/s4liZTtRbzbxD	Get hash	malicious	Browse
	https://1drv.ms/u/s!Aj1pdKAYa9n0gTIji9Ijnr6xK0RL?e=HEGTEl	Get hash	malicious	Browse
	Purchase-Order2750.html	Get hash	malicious	Browse
	https://jcbintegrador.com.pe/ddgghhf67643bhjbhdfbdocpdf	Get hash	malicious	Browse
	http://larryyoungpavlngz.com/0s	Get hash	malicious	Browse
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fartecorpus.net%2fwp-includes%2fSimplePie%2fParse%2fowa.php%2findex.html%3fl%3d_JeHFUq_VJOXK0QWHtoGYDw_Product-UserID%26%23charles.teel%40goodmanmfg.com&c=E,1,rYcxrrvcAzv2WFpvjh62IzTFJoxfScVTKXZV3aj80Afb6YKCrifwPWMgT9kxNyr4CqCYIochrADK8LmpYhp1FsBFERt0zZ1-TqzxuvkiNiScqD-ywXqZOePgJg,,&typo=1	Get hash	malicious	Browse
	https://aerosurcolombia.com/AUSSIE.html	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	PO1.xlsx	Get hash	malicious	Browse	208.91.199.223
	QKLQkaCe9M.exe	Get hash	malicious	Browse	208.91.199.224
	Zahlung.exe	Get hash	malicious	Browse	162.222.226.70
	0hgHwEkIWY.exe	Get hash	malicious	Browse	208.91.198.143
	Swift Copy.exe	Get hash	malicious	Browse	208.91.199.224
	Shipping Details_PDF.exe	Get hash	malicious	Browse	208.91.199.225
	Zahlung.exe	Get hash	malicious	Browse	162.222.226.70
	Lieferadresse.exe	Get hash	malicious	Browse	162.222.226.70
	RFQ_SMKM19112020.xlsx	Get hash	malicious	Browse	208.91.199.224
	Order List.xlsx	Get hash	malicious	Browse	208.91.199.225
	Shipping doc.pdf.exe	Get hash	malicious	Browse	208.91.198.143
	OrV86zxFWHW1j0f.exe	Get hash	malicious	Browse	208.91.199.224
	XDMBhLJxD1Qf7JW.exe	Get hash	malicious	Browse	208.91.199.224
	me4qssWAMQ.exe	Get hash	malicious	Browse	208.91.199.225
	Vd58qg0dhp.exe	Get hash	malicious	Browse	208.91.199.223
	15egpuWfT3.exe	Get hash	malicious	Browse	208.91.199.224
	PO_287104.exe	Get hash	malicious	Browse	208.91.198.225
	Machine drawing.exe	Get hash	malicious	Browse	199.79.63.24
	Shipping Details.exe	Get hash	malicious	Browse	208.91.198.143
	Wrong Transfer Payment - Chk Clip Copy.exe	Get hash	malicious	Browse	208.91.199.223

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Pagamento.exe.log Download File
Process:	C:\Users\user\Desktop\Pagamento.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	315
Entropy (8bit):	5.350410246151501
Encrypted:	false
SSDEEP:	6:Q3La/xwcE73FKDLIP12MUAvvr3tDLIP12MUAvvR+uTL2LDY3U21v:Q3La/hg1KDLI4M9tDLI4MWuPk21v
MD5:	EE0BB4B63A030A0BF7087CB0AEBD07BC
SHA1:	9A4ADFB6336E22D49503B4B99FFC25A7882AE202
SHA-256:	6CBBAF20B7871B931A8A0B1D54890DC0E6C9ED78E7DEC5E2AB2F6D12DF349DFF
SHA-512:	47644A669A15A83D0BAA1F801BB34E36B1F8FE700E5C7A4396D684FE85AFFF6B32F511AEDD0E304DB48383E04A5044CA1B313D559737F5CD967CC00F8FDFC38B
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.859874602338609
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Pagamento.exe
File size:	617472
MD5:	b8197d8952605ea1ed36ea874152a251
SHA1:	39a6ba55c24c9962174acb056d12b5cfa9eff646
SHA256:	c40b22f18e596d932438b11f44d1f78c3c217a5d96a31b884a72ff83994df03b
SHA512:	2c9bc7d072802b72ba1469c434401d210261c234e07a0e9d763ccc003dc24e9c20b36d21dd710fc48bb76afb569acf4df804ebd30bc7db07113b1076b4fb8722
SSDEEP:	12288:YnXTkH7i/KxxUrnEu9GphN5Y0B9niCmYbnsFnr46X9VmjwvSwmp:UuiKTcnPU55ZTmYbYrtDQwvSwm
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Py._.................d............... ........@.. ...............................?....@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4982de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB77950 [Fri Nov 20 08:07:44 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9828c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9a000	0x242	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x962e4	0x96400	False	0.917455282862	data	7.86500961586	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x9a000	0x242	0x400	False	0.310546875	data	3.56952524932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x9a058	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/20/20-12:37:55.784719	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49751	587	192.168.2.6	162.222.226.70

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 12:37:54.328646898 CET	49751	587	192.168.2.6	162.222.226.70
Nov 20, 2020 12:37:54.468153954 CET	587	49751	162.222.226.70	192.168.2.6
Nov 20, 2020 12:37:54.468306065 CET	49751	587	192.168.2.6	162.222.226.70
Nov 20, 2020 12:37:54.847594976 CET	587	49751	162.222.226.70	192.168.2.6
Nov 20, 2020 12:37:54.847948074 CET	49751	587	192.168.2.6	162.222.226.70
Nov 20, 2020 12:37:54.987818956 CET	587	49751	162.222.226.70	192.168.2.6
Nov 20, 2020 12:37:54.990252972 CET	49751	587	192.168.2.6	162.222.226.70
Nov 20, 2020 12:37:55.140309095 CET	587	49751	162.222.226.70	192.168.2.6
Nov 20, 2020 12:37:55.145272970 CET	49751	587	192.168.2.6	162.222.226.70
Nov 20, 2020 12:37:55.328001022 CET	587	49751	162.222.226.70	192.168.2.6
Nov 20, 2020 12:37:55.329164028 CET	49751	587	192.168.2.6	162.222.226.70
Nov 20, 2020 12:37:55.478471994 CET	587	49751	162.222.226.70	192.168.2.6
Nov 20, 2020 12:37:55.482852936 CET	49751	587	192.168.2.6	162.222.226.70
Nov 20, 2020 12:37:55.633630991 CET	587	49751	162.222.226.70	192.168.2.6
Nov 20, 2020 12:37:55.634068012 CET	49751	587	192.168.2.6	162.222.226.70
Nov 20, 2020 12:37:55.783411026 CET	587	49751	162.222.226.70	192.168.2.6
Nov 20, 2020 12:37:55.783446074 CET	587	49751	162.222.226.70	192.168.2.6
Nov 20, 2020 12:37:55.784718990 CET	49751	587	192.168.2.6	162.222.226.70
Nov 20, 2020 12:37:55.784828901 CET	49751	587	192.168.2.6	162.222.226.70
Nov 20, 2020 12:37:55.785522938 CET	49751	587	192.168.2.6	162.222.226.70
Nov 20, 2020 12:37:55.785677910 CET	49751	587	192.168.2.6	162.222.226.70
Nov 20, 2020 12:37:55.934062004 CET	587	49751	162.222.226.70	192.168.2.6
Nov 20, 2020 12:37:55.934911966 CET	587	49751	162.222.226.70	192.168.2.6
Nov 20, 2020 12:37:55.936678886 CET	587	49751	162.222.226.70	192.168.2.6
Nov 20, 2020 12:37:55.991863012 CET	49751	587	192.168.2.6	162.222.226.70

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 12:36:10.390896082 CET	58384	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:10.418067932 CET	53	58384	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:11.087999105 CET	60261	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:11.115312099 CET	53	60261	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:12.108866930 CET	56061	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:12.136126995 CET	53	56061	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:12.953931093 CET	58336	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:12.981069088 CET	53	58336	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:13.755726099 CET	53781	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:13.782707930 CET	53	53781	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:14.478147030 CET	54064	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:14.505131006 CET	53	54064	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:15.319751978 CET	52811	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:15.346996069 CET	53	52811	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:17.531930923 CET	55299	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:17.567615986 CET	53	55299	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:18.508744001 CET	63745	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:18.535815954 CET	53	63745	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:19.172806978 CET	50055	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:19.200059891 CET	53	50055	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:19.850620031 CET	61374	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:19.886384010 CET	53	61374	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:20.607717991 CET	50339	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:20.634874105 CET	53	50339	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:21.303013086 CET	63307	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:21.330130100 CET	53	63307	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:22.556905031 CET	49694	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:22.584377050 CET	53	49694	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:38.638823986 CET	54982	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:38.665930986 CET	53	54982	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:54.827131033 CET	50010	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:54.865036011 CET	53	50010	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:55.465960026 CET	63718	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:55.493091106 CET	53	63718	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:55.928179979 CET	62116	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:55.974339962 CET	53	62116	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:56.359886885 CET	63816	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:56.395853043 CET	53	63816	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:56.717065096 CET	55014	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:56.720980883 CET	62208	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:56.744414091 CET	53	55014	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:56.756824017 CET	53	62208	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:57.233652115 CET	57574	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:57.269503117 CET	53	57574	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:57.675564051 CET	51818	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:57.711568117 CET	53	51818	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:58.500577927 CET	56628	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:58.527576923 CET	53	56628	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:59.509484053 CET	60778	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:59.545171976 CET	53	60778	8.8.8.8	192.168.2.6
Nov 20, 2020 12:36:59.866882086 CET	53799	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:36:59.904808998 CET	53	53799	8.8.8.8	192.168.2.6
Nov 20, 2020 12:37:01.364940882 CET	54683	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:37:01.400644064 CET	53	54683	8.8.8.8	192.168.2.6
Nov 20, 2020 12:37:11.120472908 CET	59329	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:37:11.157748938 CET	53	59329	8.8.8.8	192.168.2.6
Nov 20, 2020 12:37:13.138706923 CET	64021	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:37:13.182286978 CET	53	64021	8.8.8.8	192.168.2.6
Nov 20, 2020 12:37:48.150477886 CET	56129	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:37:48.192136049 CET	53	56129	8.8.8.8	192.168.2.6
Nov 20, 2020 12:37:53.961940050 CET	58177	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:37:54.134756088 CET	53	58177	8.8.8.8	192.168.2.6
Nov 20, 2020 12:37:54.150438070 CET	50700	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:37:54.315829992 CET	53	50700	8.8.8.8	192.168.2.6
Nov 20, 2020 12:38:03.007132053 CET	54069	53	192.168.2.6	8.8.8.8
Nov 20, 2020 12:38:03.034373999 CET	53	54069	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 20, 2020 12:37:13.138706923 CET	192.168.2.6	8.8.8.8	0x216d	Standard query (0)	g.msn.com	A (IP address)	IN (0x0001)
Nov 20, 2020 12:37:53.961940050 CET	192.168.2.6	8.8.8.8	0xb307	Standard query (0)	mail.greatdeck.co	A (IP address)	IN (0x0001)
Nov 20, 2020 12:37:54.150438070 CET	192.168.2.6	8.8.8.8	0x4189	Standard query (0)	mail.greatdeck.co	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 20, 2020 12:37:13.182286978 CET	8.8.8.8	192.168.2.6	0x216d	No error (0)	g.msn.com	g-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 12:37:54.134756088 CET	8.8.8.8	192.168.2.6	0xb307	No error (0)	mail.greatdeck.co	greatdeck.co		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 12:37:54.134756088 CET	8.8.8.8	192.168.2.6	0xb307	No error (0)	greatdeck.co		162.222.226.70	A (IP address)	IN (0x0001)
Nov 20, 2020 12:37:54.315829992 CET	8.8.8.8	192.168.2.6	0x4189	No error (0)	mail.greatdeck.co	greatdeck.co		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 12:37:54.315829992 CET	8.8.8.8	192.168.2.6	0x4189	No error (0)	greatdeck.co		162.222.226.70	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 20, 2020 12:37:54.847594976 CET	587	49751	162.222.226.70	192.168.2.6	220-bh-37.webhostbox.net ESMTP Exim 4.93 #2 Fri, 20 Nov 2020 11:37:54 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 20, 2020 12:37:54.847948074 CET	49751	587	192.168.2.6	162.222.226.70	EHLO 445817
Nov 20, 2020 12:37:54.987818956 CET	587	49751	162.222.226.70	192.168.2.6	250-bh-37.webhostbox.net Hello 445817 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 20, 2020 12:37:54.990252972 CET	49751	587	192.168.2.6	162.222.226.70	AUTH login aW5mby5ncmVhdGRlY2tAZ3JlYXRkZWNrLmNv
Nov 20, 2020 12:37:55.140309095 CET	587	49751	162.222.226.70	192.168.2.6	334 UGFzc3dvcmQ6
Nov 20, 2020 12:37:55.328001022 CET	587	49751	162.222.226.70	192.168.2.6	235 Authentication succeeded
Nov 20, 2020 12:37:55.329164028 CET	49751	587	192.168.2.6	162.222.226.70	MAIL FROM:<info.greatdeck@greatdeck.co>
Nov 20, 2020 12:37:55.478471994 CET	587	49751	162.222.226.70	192.168.2.6	250 OK
Nov 20, 2020 12:37:55.482852936 CET	49751	587	192.168.2.6	162.222.226.70	RCPT TO:<info.greatdeck@greatdeck.co>
Nov 20, 2020 12:37:55.633630991 CET	587	49751	162.222.226.70	192.168.2.6	250 Accepted
Nov 20, 2020 12:37:55.634068012 CET	49751	587	192.168.2.6	162.222.226.70	DATA
Nov 20, 2020 12:37:55.783446074 CET	587	49751	162.222.226.70	192.168.2.6	354 Enter message, ending with "." on a line by itself
Nov 20, 2020 12:37:55.785677910 CET	49751	587	192.168.2.6	162.222.226.70	.
Nov 20, 2020 12:37:55.936678886 CET	587	49751	162.222.226.70	192.168.2.6	250 OK id=1kg4jj-000ecw-Mw

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Pagamento.exe PID: 6380 Parent PID: 5892

General

Start time:	12:36:14
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\Pagamento.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Pagamento.exe'
Imagebase:	0xde0000
File size:	617472 bytes
MD5 hash:	B8197D8952605EA1ED36EA874152A251
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.340132480.00000000058A2000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.338315730.0000000004EE0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.340576792.0000000006A49000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 4652 Parent PID: 6380

General

Start time:	12:36:19
Start date:	20/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0x2c0000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RegAsm.exe PID: 4680 Parent PID: 6380

General

Start time:	12:36:20
Start date:	20/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0xa80000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.591883662.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Pagamento.exe PID: 6380 Parent PID: 5892 Pagamento.exeCOMMON

Executed Functions

Function 015D9278, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 235memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 015D9500

Strings

X{p, xrefs: 015D94B2

Memory Dump Source

Source File: 00000000.00000002.336539843.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: X{p
API String ID: 4275171209-4022507961
Opcode ID: 27cc59665f0dcdd65aa32f1098560a3310225ae02302672f38a1ad5d44c3aa1d
Instruction ID: 17bae6e9e9382c8ff81e1f48646fc205af567ba3db9065c894824dc7e45696fb
Opcode Fuzzy Hash: 27cc59665f0dcdd65aa32f1098560a3310225ae02302672f38a1ad5d44c3aa1d
Instruction Fuzzy Hash: 5F81CF71B002058FCB24DBB9C894BAEBBE1BF89318F158969D5199F381DB34DC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015D9498, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 015D9500

Strings

X{p, xrefs: 015D94B2

Memory Dump Source

Source File: 00000000.00000002.336539843.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: X{p
API String ID: 4275171209-4022507961
Opcode ID: d5bea96da99aec67f2d16c9c5f629d067a78f61d416546033cb938f034fc9be7
Instruction ID: b55dfdbd3681fdc2b5d39093d779d5cba7d84fecb076b246913d60d35f3685aa
Opcode Fuzzy Hash: d5bea96da99aec67f2d16c9c5f629d067a78f61d416546033cb938f034fc9be7
Instruction Fuzzy Hash: 8D11D4B59006489FCB10DF9AD844BDEBBF4FF88324F248429E559A7210D775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0153D0EC, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.336476358.000000000153D000.00000040.00000001.sdmp, Offset: 0153D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463f03f5bfc6db2f8eab8e496b4cb2dc7c4471dd4097e16716d26dff33b88725
Instruction ID: 4b3743492d6765724fd21023727b3d5a90f3a2ca8fb0d354b88263e36bdc33f4
Opcode Fuzzy Hash: 463f03f5bfc6db2f8eab8e496b4cb2dc7c4471dd4097e16716d26dff33b88725
Instruction Fuzzy Hash: BF21F2B1504204EFDB05DF94D8C0B2ABBB5FB84314F64C9ADE9094F246C73AD846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0153D0E7, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.336476358.000000000153D000.00000040.00000001.sdmp, Offset: 0153D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ef8b8e69474e9e3f59cfca7e61f3031d75341f00d8d617f05e8a12da4b6053
Instruction ID: cd5d0bcb34dc62728e7da43cfb98a4ae6650ddb21a411fb9dbd3d749f6269e02
Opcode Fuzzy Hash: 27ef8b8e69474e9e3f59cfca7e61f3031d75341f00d8d617f05e8a12da4b6053
Instruction Fuzzy Hash: B3119076504280DFDB02CF54D9C4B19BF71FB84314F28C6A9D8494F656C33AD44ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0152D041, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.336454276.000000000152D000.00000040.00000001.sdmp, Offset: 0152D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d19cd535aa27814c84938b8350498c41c86d8a047d64b552a71d95da53f10ad
Instruction ID: c398aa6ae95109f1bc8d38b3e97c2a02d0d6658478075840c1da3731b554f911
Opcode Fuzzy Hash: 2d19cd535aa27814c84938b8350498c41c86d8a047d64b552a71d95da53f10ad
Instruction Fuzzy Hash: B301D8730082949AE7104A55C8847A6BFE8FF42264F18855AED445F296E37D9845C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0152D040, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.336454276.000000000152D000.00000040.00000001.sdmp, Offset: 0152D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d41eb0ffcec54e8dd70b9bdb491fb906dec83a56aef5da82ed43b6d2c72f16
Instruction ID: 8b8d4adcb2b1c7dc68ac223667effe1c620e345775d71df38c2e4ba8d5b378d8
Opcode Fuzzy Hash: 01d41eb0ffcec54e8dd70b9bdb491fb906dec83a56aef5da82ed43b6d2c72f16
Instruction Fuzzy Hash: E6F0C2724042949AEB108A19DCC4B66FFA8EB82774F18C45AED080F387D3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E6EF01, Relevance: .6, Instructions: 639
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00E6EF01(signed int __eax, void* __ebx, signed int __ecx, signed int __edx, signed int __edi, signed char __esi) {
				signed char _t300;
				void* _t302;
				signed int _t303;
				signed int _t313;
				void* _t314;
				signed int _t315;
				signed char _t317;
				signed int _t318;
				signed int _t320;
				signed char _t323;
				signed int _t324;
				signed int _t325;
				signed char _t326;
				signed int _t327;
				signed char _t328;
				signed int _t330;
				signed char _t331;
				signed char _t332;
				signed int _t333;
				signed int _t334;
				signed int _t341;
				signed char _t342;
				signed int _t343;
				intOrPtr* _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed char _t357;
				signed char _t358;
				signed char _t361;
				signed char _t362;
				signed char _t363;
				signed char _t364;
				signed char _t365;
				signed char _t366;
				signed char _t367;
				signed char _t368;
				signed int _t369;
				signed int* _t370;
				signed int _t371;
				signed int _t373;
				intOrPtr* _t375;
				signed int _t376;
				signed int _t378;
				signed char _t381;
				signed char _t383;
				signed char _t384;
				signed int _t385;
				signed int _t386;
				signed int* _t387;
				signed char _t392;
				signed char _t394;
				signed int _t395;
				char* _t396;
				signed char _t397;
				intOrPtr* _t398;
				intOrPtr* _t400;
				void* _t407;
				signed int _t409;
				signed char _t411;
				signed int _t412;
				signed char _t414;
				intOrPtr* _t415;
				void* _t416;
				signed int _t419;
				intOrPtr* _t421;
				signed char _t424;
				signed int _t425;
				void* _t426;
				void* _t427;
				void* _t429;
				signed int* _t430;
				signed int _t432;
				void* _t433;
				intOrPtr* _t434;
				signed int _t435;
				signed int _t437;
				signed char _t438;
				signed int _t439;
				signed char _t440;
				signed char _t442;
				signed int _t445;
				signed int* _t449;
				signed char _t457;
				signed char _t458;
				signed int* _t460;
				void* _t461;
				signed int _t463;

				_t438 = __esi;
				_t435 = __edi;
				_t424 = __edx;
				_t300 = __eax | 0xffffffff9fe00603;
				asm("sbb ecx, [0xb8000102]");
				_pop(ds);
				asm("in al, dx");
				asm("adc eax, [esi]");
				 *((intOrPtr*)(__esi + 0x113ec1b)) =  *((intOrPtr*)(__esi + 0x113ec1b)) + __ecx;
				 *__edx =  *__edx + _t300;
				asm("adc eax, [esi]");
				_t302 = (_t300 & __ecx) + (_t300 & __ecx);
				asm("sbb ebp, esp");
				asm("adc eax, [ecx]");
				_t460[0x43aac7] = _t460[0x43aac7] + _t302;
				_t460[0x407647] = _t460[0x407647] + __ecx;
				_t409 = __ecx + __ecx;
				_pop(ds);
				asm("scasd");
				 *_t409 =  *_t409 + _t302;
				_t303 = _t302 + _t409;
				_pop(ds);
				asm("scasd");
				 *_t409 =  *_t409 + _t303;
				_t392 = __ebx + __edx;
				_pop(ds);
				asm("scasd");
				 *_t409 =  *_t409 + _t303;
				 *((intOrPtr*)(__esi + 0x16)) =  *((intOrPtr*)(__esi + 0x16)) + _t303;
				_pop(ss);
				asm("scasd");
				 *_t409 =  *_t409 + (_t303 | 0x17000102);
				 *((intOrPtr*)(__esi + __edx + 0x1020d)) =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t409;
				asm("scasd");
				 *__esi =  *__esi + 0x2c;
				 *__edi =  *__edi + __edx;
				asm("das");
				asm("scasd");
				 *_t409 =  *_t409 + 0x2c;
				 *0x06020D58 =  *((intOrPtr*)(0x6020d58)) + _t392;
				 *0x2c =  *0x2c + 0x2c;
				asm("das");
				_pop(ds);
				 *0x4B000748 =  *0x4B000748 ^ __edx;
				 *[ss:eax+0xf] =  *[ss:eax+0xf] + 0x2c;
				asm("pushad");
				asm("sbb dl, [esi]");
				 *_t409 =  *_t409 + __edx;
				_t460[6] = _t460[6] ^ 0x0000002c;
				_push(ss);
				 *_t392 =  *_t392 + _t392;
				 *(__esi + 0x1a) =  *(__esi + 0x1a) ^ _t409;
				_push(es);
				 *_t409 =  *_t409 + _t392;
				asm("sbb al, 0x1f");
				_push(ss);
				_push(es);
				 *0x4B00074A =  *((intOrPtr*)(0x4b00074a)) + __edx;
				_t460[6] = _t460[6] & _t392;
				 *[ss:eax+0xf] =  *[ss:eax+0xf] + 0x2c;
				_push(ss);
				 *__edi =  *__edi + __edx;
				 *0x66000134 =  *0x66000134 & 0x0000002c;
				_t310 = 0x1700011a;
				ss = ss;
				asm("scasd");
				 *_t409 =  *_t409 + 0x1a;
				_t27 = __esi + __edx + 0x1020d;
				 *_t27 =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t409;
				if( *_t27 < 0) {
					 *0x87000102 =  *0x87000102 ^ _t409;
					asm("aad 0x30");
					 *(__edi - 0xcffff00) =  *(__edi - 0xcffff00) ^ _t409;
					_t310 = 0xfffffffff6fa050f ^ _t392;
					asm("sbb al, [ecx]");
					_t409 = _t409 + _t392;
					 *_t409 =  *_t409 ^ 0x0000001a;
					asm("sbb eax, [ecx]");
					 *_t409 =  *_t409 + _t409;
					 *0x19000102 =  *0x19000102 ^ _t409;
				}
				 *_t409 =  *_t409 + _t392;
				 *0x66000102 =  *0x66000102 ^ _t409;
				ss = ss;
				_push(ss);
				_t425 = _t424 &  *(_t435 + 0x2f00060d);
				 *(_t435 + 0x3800010d) =  *(_t435 + 0x3800010d) ^ _t425;
				 *(_t435 + 0x43000109) =  *(_t435 + 0x43000109) ^ _t438;
				_t313 = (_t310 | 0x57000102) ^ _t435;
				 *_t409 =  *_t409 + _t313;
				_t314 = _t313 + _t392;
				asm("clc");
				 *_t409 =  *_t409 + _t314;
				 *((intOrPtr*)(_t409 + _t438 + 0xd)) =  *((intOrPtr*)(_t409 + _t438 + 0xd)) + _t425;
				_t315 = _t314 +  *_t409;
				 *((intOrPtr*)(_t392 + 0x31)) =  *((intOrPtr*)(_t392 + 0x31)) + _t392;
				asm("sti");
				asm("adc [ecx], al");
				 *((intOrPtr*)(_t425 + 0x31)) =  *((intOrPtr*)(_t425 + 0x31)) + _t409;
				asm("scasd");
				 *_t409 =  *_t409 + _t315;
				 *((intOrPtr*)(_t409 + _t438 - 0x69)) =  *((intOrPtr*)(_t409 + _t438 - 0x69)) + _t425;
				asm("scasd");
				 *_t438 =  *_t438 + _t425;
				_t317 = (_t315 | 0x338f0006) + _t409;
				ss = ss;
				asm("sgdt [es:eax]");
				_push(_t317);
				_t318 = _t317 ^ 0x000000af;
				 *_t409 =  *_t409 + _t318;
				 *((intOrPtr*)(_t435 + 0x34)) =  *((intOrPtr*)(_t435 + 0x34)) + _t318;
				_t320 = (_t318 | 0x82000102) ^ 0x000000af;
				 *_t409 =  *_t409 + _t320;
				_t460[0x4365cd] = _t460[0x4365cd] + _t392;
				 *_t392 =  *_t392 + _t392;
				asm("popfd");
				_t323 = _t320 ^ 0x10d27 | 0x35510001;
				asm("scasd");
				 *_t438 =  *_t438 + _t323;
				_push(es);
				 *0x56020d35 = _t323;
				 *((char*)(_t392 + 0x561c9f35)) =  *((char*)(_t392 + 0x561c9f35)) - 0x80;
				asm("lahf");
				asm("sbb al, 0x56");
				_push(_t323);
				_t324 = _t323 ^ 0x000000af;
				 *_t409 =  *_t409 + _t324;
				_t426 = _t425 + _t409;
				_t325 = _t324 ^ 0x013300af;
				 *_t438 = _t426;
				asm("out 0x1c, eax");
				asm("enter 0x20, 0x0");
				 *_t325 =  *_t325 + _t325;
				_t326 = _t438;
				_t439 = _t325;
				 *((intOrPtr*)(_t439 + 0x21)) =  *((intOrPtr*)(_t439 + 0x21)) + 0x35;
				_push(_t409);
				 *_t409 =  *_t409 + _t326;
				_t427 = _t426 + _t426;
				 *_t326 =  *_t326 & _t326;
				 *_t326 =  *_t326 + _t326;
				 *((intOrPtr*)(_t439 + 0x6021a400)) =  *((intOrPtr*)(_t439 + 0x6021a400)) + _t427;
				 *0x35 =  *0x35 + _t326;
				_t394 = 0x35 + _t326;
				 *_t326 =  *_t326 & _t326;
				 *_t326 =  *_t326 + _t326;
				 *((intOrPtr*)(_t439 + 0x6821c400)) =  *((intOrPtr*)(_t439 + 0x6821c400)) + _t427;
				 *0x20f400 =  *0x20f400 + _t326;
				 *_t326 =  *_t326 + _t326;
				 *((intOrPtr*)(_t439 + 0x6e21cf00)) =  *((intOrPtr*)(_t439 + 0x6e21cf00)) + _t427;
				 *_t439 =  *_t439 + _t326;
				_t327 = _t326 + _t394;
				 *_t327 =  *_t327 & _t327;
				 *_t327 =  *_t327 + _t327;
				 *((intOrPtr*)(_t394 + 0x7621dc00)) =  *((intOrPtr*)(_t394 + 0x7621dc00)) + _t427;
				 *_t439 =  *_t439 + _t327;
				 *_t409 =  *_t409 + _t409;
				 *_t327 =  *_t327 & _t327;
				 *_t327 =  *_t327 + _t327;
				 *((intOrPtr*)(_t394 + 0x7b21f000)) =  *((intOrPtr*)(_t394 + 0x7b21f000)) + _t427;
				 *_t435 =  *_t435 + _t327;
				 *_t394 =  *_t394 + 0x35;
				 *_t327 =  *_t327 & _t327;
				 *_t327 =  *_t327 + _t327;
				 *((intOrPtr*)(_t394 + 0x7b21fb00)) =  *((intOrPtr*)(_t394 + 0x7b21fb00)) + _t427;
				 *_t435 =  *_t435 + _t327;
				 *((intOrPtr*)(_t327 + 0x27)) =  *((intOrPtr*)(_t327 + 0x27)) + _t394;
				 *((intOrPtr*)(_t439 - 0x68ddf000)) =  *((intOrPtr*)(_t439 - 0x68ddf000)) + _t427;
				 *_t435 =  *_t435 + _t327;
				 *_t439 =  *_t439 + 0x35;
				 *_t327 =  *_t327 & _t327;
				 *_t327 =  *_t327 + _t327;
				 *((intOrPtr*)(_t439 - 0x6cf1dae8)) =  *((intOrPtr*)(_t439 - 0x6cf1dae8)) + _t327;
				 *_t327 =  *_t327 + _t409;
				 *_t439 =  *_t439 + _t327;
				 *_t327 =  *_t327 & _t327;
				 *_t327 =  *_t327 + _t327;
				 *((intOrPtr*)(_t409 + 0x6e221f18)) =  *((intOrPtr*)(_t409 + 0x6e221f18)) + _t427;
				 *_t327 =  *_t327 + _t409;
				_t460[8] = _t460[8] + _t427;
				 *_t327 =  *_t327 + _t327;
				 *_t327 =  *_t327 + _t327;
				_t328 = _t394;
				_t395 = _t327;
				 *((intOrPtr*)(_t328 + 0x22)) =  *((intOrPtr*)(_t328 + 0x22)) + _t328;
				asm("daa");
				 *_t328 =  *_t328 + _t328;
				 *_t328 =  *_t328 + _t328;
				_t440 = _t328;
				 *((intOrPtr*)(_t440 + 0x22)) =  *((intOrPtr*)(_t440 + 0x22)) + 0xfc000800;
				asm("in al, 0x0");
				_t330 = _t439 |  *_t439;
				 *((intOrPtr*)(_t440 - 0xadd9f00)) =  *((intOrPtr*)(_t440 - 0xadd9f00)) + 0xfc000800;
				 *((intOrPtr*)(_t330 + _t330)) =  *((intOrPtr*)(_t330 + _t330)) + _t409;
				 *_t330 =  *_t330 & _t330;
				 *_t330 =  *_t330 + _t330;
				 *((intOrPtr*)(_t409 + 0x6e226d00)) =  *((intOrPtr*)(_t409 + 0x6e226d00)) + 0xfc000800;
				 *((intOrPtr*)(_t330 + _t330)) =  *((intOrPtr*)(_t330 + _t330)) + _t409;
				 *_t330 =  *_t330 & _t330;
				 *_t330 =  *_t330 + _t330;
				 *((intOrPtr*)(_t440 + 0x6e227b00)) =  *((intOrPtr*)(_t440 + 0x6e227b00)) + 0xfc000800;
				 *((intOrPtr*)(_t330 + _t330)) =  *((intOrPtr*)(_t330 + _t330)) + _t409;
				_t437 = 0x28;
				 *_t330 =  *_t330 & _t330;
				 *_t330 =  *_t330 + _t330;
				 *((intOrPtr*)(_t409 + 0x6e22b600)) =  *((intOrPtr*)(_t409 + 0x6e22b600)) + 0xfc000800;
				 *((intOrPtr*)(_t330 + _t330)) =  *((intOrPtr*)(_t330 + _t330)) + _t409;
				_push(ds);
				 *_t330 =  *_t330 & _t330;
				 *_t330 =  *_t330 + _t330;
				 *((intOrPtr*)(_t440 - 0x6cf1dae8)) =  *((intOrPtr*)(_t440 - 0x6cf1dae8)) + _t330;
				 *((intOrPtr*)(_t330 + _t330)) =  *((intOrPtr*)(_t330 + _t330)) + _t409;
				asm("insd");
				 *_t330 =  *_t330 & _t330;
				 *_t330 =  *_t330 + _t330;
				 *((intOrPtr*)(_t409 + 0x6e221f18)) =  *((intOrPtr*)(_t409 + 0x6e221f18)) + 0xfc000800;
				 *((intOrPtr*)(_t330 + _t330)) =  *((intOrPtr*)(_t330 + _t330)) + _t409;
				 *_t330 = gs;
				 *_t330 =  *_t330 + _t330;
				 *_t330 =  *_t330 + _t330;
				_t331 = _t440;
				_t429 = 0xfc000800 + _t331;
				_t332 = _t331 &  *_t437;
				 *((intOrPtr*)(_t332 + _t332)) =  *((intOrPtr*)(_t332 + _t332)) + _t409;
				asm("les ebp, [eax]");
				 *_t332 =  *_t332 + _t332;
				 *_t332 =  *_t332 + _t332;
				_t333 = _t330;
				_t442 = _t332;
				_t411 = _t409 + 0x00000035 &  *(_t409 + 0x35);
				 *0x294c00 =  *0x294c00 + _t411;
				 *_t333 =  *_t333 + _t333;
				 *((intOrPtr*)(_t442 + 0x67231600)) =  *((intOrPtr*)(_t442 + 0x67231600)) + _t429;
				 *_t442 =  *_t442 + _t411;
				 *((intOrPtr*)(_t333 + 0x29)) =  *((intOrPtr*)(_t333 + 0x29)) + _t333;
				 *((intOrPtr*)(_t442 - 0x6adc9d00)) =  *((intOrPtr*)(_t442 - 0x6adc9d00)) + _t429;
				 *_t411 =  *_t411 + 0xfc000800;
				 *_t333 =  *_t333 + _t333;
				_t334 = _t333 -  *_t333;
				 *_t334 =  *_t334 + _t334;
				 *((intOrPtr*)(_t442 + 0x29238600)) =  *((intOrPtr*)(_t442 + 0x29238600)) + _t429;
				 *0xfc000800 =  *0xfc000800 + 0xfc000800;
				 *((intOrPtr*)(0xfc000800 + _t460)) =  *((intOrPtr*)(0xfc000800 + _t460)) + _t411;
				 *_t334 =  *_t334 + _t334;
				 *((intOrPtr*)(_t411 - 0x48dc4d00)) =  *((intOrPtr*)(_t411 - 0x48dc4d00)) + _t429;
				 *_t395 =  *_t395 + 0xfc000800;
				 *_t442 =  *_t442 + 0x35;
				 *_t334 =  *_t334 & _t334;
				 *_t334 =  *_t334 + _t334;
				 *((intOrPtr*)(_t442 - 0x6cf1dae8)) =  *((intOrPtr*)(_t442 - 0x6cf1dae8)) + _t334;
				 *_t442 =  *_t442 + _t429;
				 *((intOrPtr*)(0xfc000800 + _t460)) =  *((intOrPtr*)(0xfc000800 + _t460)) + _t334;
				 *((intOrPtr*)(_t437 + 0x24)) =  *((intOrPtr*)(_t437 + 0x24)) + _t395;
				_push(ss);
				 *0x0000002D =  *((intOrPtr*)(0x2d)) + _t395;
				 *2 =  *2 + 2;
				 *2 =  *2 + 2;
				 *((intOrPtr*)(_t395 + 0x10)) =  *((intOrPtr*)(_t395 + 0x10)) + _t411;
				 *0xfc000800 =  *0xfc000800 + 1;
				asm("sbb [eax], al");
				L3();
				 *0x52106B02 =  *((intOrPtr*)(0x52106b02)) + _t429;
				_t396 = _t395 +  *0xfc000800;
				 *((intOrPtr*)(_t460 + _t463)) =  *((intOrPtr*)(_t460 + _t463)) + _t411;
				_t445 = _t334;
				 *((intOrPtr*)(_t396 + 0x10)) =  *((intOrPtr*)(_t396 + 0x10)) + _t411;
				 *_t396 =  *_t396 + 0x1c;
				 *0x00000004 =  *0x00000004 + 2;
				 *((intOrPtr*)(_t445 - 0x35db6900)) =  *((intOrPtr*)(_t445 - 0x35db6900)) + _t429;
				_t397 = _t396 +  *0x2d7800;
				 *0x00000004 =  *0x00000004 + 2;
				 *((intOrPtr*)(_t445 + 0x40f8300)) =  *((intOrPtr*)(_t445 + 0x40f8300)) + _t429;
				_t341 = _t445;
				 *((intOrPtr*)(_t397 + 0x1f04040f)) =  *((intOrPtr*)(_t397 + 0x1f04040f)) + 2;
				 *_t341 =  *_t341 + 2;
				 *[cs:eax] =  *[cs:eax] + 2;
				 *_t341 =  *_t341 + 2;
				_t342 = _t411;
				_t412 = _t341;
				 *((intOrPtr*)(_t342 + 0x20044924)) =  *((intOrPtr*)(_t342 + 0x20044924)) + _t412;
				 *((intOrPtr*)(_t342 + 0x2e)) =  *((intOrPtr*)(_t342 + 0x2e)) + _t412;
				 *((intOrPtr*)(_t412 - 0x37db4100)) =  *((intOrPtr*)(_t412 - 0x37db4100)) + _t429;
				_t343 = _t342 + 0x22;
				 *0x00000004 =  *0x00000004 + 0x35;
				 *_t343 =  *_t343 & _t343;
				 *_t343 =  *_t343 + 2;
				 *0xFFFFFFFF930E251C =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x315000 =  *0x315000 + _t343;
				 *_t343 =  *_t343 + 2;
				 *((intOrPtr*)(_t397 - 0x66f07600)) =  *((intOrPtr*)(_t397 - 0x66f07600)) + 2;
				_t344 = _t343 +  *0x211e00;
				 *_t344 =  *_t344 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x00000004 =  *0x00000004 + _t344;
				 *((intOrPtr*)(_t412 + 0x21)) =  *((intOrPtr*)(_t412 + 0x21)) + _t397;
				 *_t344 =  *_t344 + 2;
				 *_t344 =  *_t344 + 2;
				 *_t344 =  *_t344 + 0xffffff97;
				asm("adc [esp+eax], bh");
				 *[es:edi+0x21] =  *[es:edi+0x21] + 2;
				 *((intOrPtr*)(_t397 + 0x1110ad00)) =  *((intOrPtr*)(_t397 + 0x1110ad00)) + 2;
				_t345 = _t344 + 0x21aa0027;
				 *_t345 =  *_t345 + 2;
				 *_t345 =  *_t345 + 2;
				_t346 = _t412;
				asm("sbb [edi], bl");
				_t414 = _t345 &  *0x00000004;
				 *_t346 =  *_t346 - 2;
				_push(ds);
				 *_t346 =  *_t346 & _t346;
				 *_t346 =  *_t346 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t346 =  *_t346 + _t414;
				 *0x00000025 =  *((intOrPtr*)(0x25)) + _t429;
				 *((intOrPtr*)(_t397 + 0x4e0f6400)) =  *((intOrPtr*)(_t397 + 0x4e0f6400)) + 2;
				_t415 = _t414 +  *_t346;
				 *0x00000004 =  *0x00000004 + 0x35;
				 *_t346 =  *_t346 & _t346;
				 *_t346 =  *_t346 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t415 =  *_t415 + _t415;
				 *((intOrPtr*)(_t346 + 0x32)) =  *((intOrPtr*)(_t346 + 0x32)) + _t415;
				 *_t346 =  *_t346 + 2;
				 *_t346 =  *_t346 + 2;
				 *_t346 =  *_t346 + 0x27;
				_t347 = _t346 & 0x0029056a;
				_push(ds);
				 *_t347 =  *_t347 & _t347;
				 *_t347 =  *_t347 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0xfc000800 =  *0xfc000800 + _t415;
				 *((intOrPtr*)(0x25)) =  *((intOrPtr*)(0x25)) + _t397;
				 *((intOrPtr*)(_t397 + 0x3c254b00)) =  *((intOrPtr*)(_t397 + 0x3c254b00)) + 2;
				_t349 = _t347 + 0x2a + _t429;
				 *_t349 =  *_t349 & _t349;
				 *_t349 =  *_t349 + 2;
				 *((intOrPtr*)(_t397 - 0x66daa600)) =  *((intOrPtr*)(_t397 - 0x66daa600)) + 2;
				_t416 = _t415 +  *_t397;
				 *0xFFFFFFFFFC000804 =  *((intOrPtr*)(0xfffffffffc000804)) + _t416;
				 *_t349 =  *_t349 + 0x6e;
				_t350 = _t349 & 0x002c057f;
				_push(ds);
				 *_t350 =  *_t350 & _t350;
				 *_t350 =  *_t350 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x21e700 =  *0x21e700 + _t416;
				 *_t350 =  *_t350 + 2;
				 *((intOrPtr*)(_t397 + 0x3c259900)) =  *((intOrPtr*)(_t397 + 0x3c259900)) + 2;
				_t351 = _t350 + 0x2d;
				_t430 = _t429 + _t397;
				 *_t351 =  *_t351 & _t351;
				 *_t351 =  *_t351 + 2;
				 *((intOrPtr*)(_t416 + 0x6e221f18)) =  *((intOrPtr*)(_t416 + 0x6e221f18)) + _t430;
				 *0x00000004 =  *0x00000004 + _t416;
				 *0x00000004 =  *0x00000004 + 0x35;
				 *_t351 =  *_t351 & _t351;
				 *_t351 =  *_t351 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x00000004 =  *0x00000004 + _t416;
				 *((intOrPtr*)(0x25)) =  *((intOrPtr*)(0x25)) + _t430;
				 *((intOrPtr*)(_t397 + 0x4e25b500)) =  *((intOrPtr*)(_t397 + 0x4e25b500)) + 2;
				 *((intOrPtr*)(4 + _t397)) =  *((intOrPtr*)(4 + _t397)) + _t351;
				 *_t351 =  *_t351 + 2;
				 *_t351 =  *_t351 + 2;
				 *0x33 =  *0x33 + 2;
				 *0x33 =  *0x33 + 2;
				_t419 = _t416 +  *0x00000004 + _t430 + _t430;
				_push(es);
				_t357 = _t351 & 0x0032064a &  *(_t351 & 0x0032064a);
				 *_t357 =  *_t357 + 2;
				 *((intOrPtr*)(_t419 + 0x6e221f18)) =  *((intOrPtr*)(_t419 + 0x6e221f18)) + _t430;
				 *_t437 = _t430 +  *_t437;
				 *0x33 =  *0x33 + 0x35;
				 *_t357 =  *_t357 & _t357;
				 *_t357 =  *_t357 + 2;
				 *0xFFFFFFFF930E254B =  *((intOrPtr*)(0xffffffff930e254b)) + 2;
				 *_t437 = _t430 +  *_t437;
				 *0xfc000800 =  *0xfc000800 + _t430;
				_t358 = _t357 &  *_t357;
				 *_t358 =  *_t358 + 2;
				 *((intOrPtr*)(_t397 - 0x7cd9e200)) =  *((intOrPtr*)(_t397 - 0x7cd9e200)) + 2;
				_push(es);
				asm("aaa");
				 *((intOrPtr*)(0x33 + _t463)) =  *((intOrPtr*)(0x33 + _t463)) + _t419;
				 *_t358 =  *_t358 + 2;
				 *_t358 =  *_t358 + 2;
				_t359 = 0x33;
				_t449 = _t358;
				 *0xFFFFFFFFFC000826 =  *((intOrPtr*)(0xfffffffffc000826)) + 0x35;
				asm("clc");
				_push(es);
				if( *0x33 >= 2) {
					 *0x33 =  *0x33 + 2;
					 *0x33 =  *0x33 + 2;
					_t387 = _t449;
					 *0x37075A26 =  *((intOrPtr*)(0x37075a26)) + _t419;
					_t387[0xd] = _t387[0xd] + 0x35;
					 *0xFFFFFFFF80269C33 =  *((intOrPtr*)(0xffffffff80269c33)) + _t430;
					 *0x3be000 =  *0x3be000 | _t437;
					 *_t387 =  *_t387 + 2;
					 *0x0D26A833 =  *((intOrPtr*)(0xd26a833)) + _t430;
					_t397 = _t397 |  *0x33;
					 *_t437 =  *_t437 + _t419;
					_t359 = 0x33;
					_t449 = _t387;
					 *0x400A6959 =  *((intOrPtr*)(0x400a6959)) + _t419;
				}
				 *0x22 =  *0x22 + _t430;
				_t449[0x1c837bc2] = _t359 + _t449[0x1c837bc2];
				 *_t397 = _t359 +  *_t397;
				asm("sbb eax, 0x22");
				 *((intOrPtr*)(_t449 - 0x66d8edf8)) =  *((intOrPtr*)(_t449 - 0x66d8edf8)) + _t359;
				_t361 = _t359 +  *_t397 &  *[es:eax];
				 *_t361 =  *_t361 + _t361;
				_t449[0x689c6c2] = _t449[0x689c6c2] + _t361;
				 *((intOrPtr*)(_t361 + _t361 + 0x2e)) =  *((intOrPtr*)(_t361 + _t361 + 0x2e)) + _t361;
				_t362 = _t361 &  *_t361;
				 *_t362 =  *_t362 + _t362;
				 *((intOrPtr*)(_t449 - 0x77d8daf8)) =  *((intOrPtr*)(_t449 - 0x77d8daf8)) + _t362;
				_t363 = _t362 |  *(_t362 + _t362 + 0x1e);
				 *_t363 =  *_t363 & _t363;
				 *_t363 =  *_t363 + _t363;
				 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + _t363;
				 *_t460 =  *_t460 + _t363;
				asm("aaa");
				_t364 = _t363 &  *_t363;
				 *_t364 =  *_t364 + _t364;
				 *((intOrPtr*)(_t449 - 0x72f1dae8)) =  *((intOrPtr*)(_t449 - 0x72f1dae8)) + _t364;
				_t365 = _t364 |  *_t460;
				_push(ds);
				 *_t365 =  *_t365 & _t365;
				 *_t365 =  *_t365 + _t365;
				 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + _t365;
				 *_t437 =  *_t437 + _t365;
				_t461 = _t460 - 1;
				_t366 = _t365 &  *_t365;
				 *_t366 =  *_t366 + _t366;
				 *((intOrPtr*)(_t397 - 0x15ed5a00)) =  *((intOrPtr*)(_t397 - 0x15ed5a00)) + _t366;
				 *_t437 =  *_t437 | _t366;
				_push(ds);
				 *_t366 =  *_t366 & _t366;
				 *_t366 =  *_t366 + _t366;
				 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + _t366;
				 *_t366 =  *_t366 + _t419;
				asm("pushad");
				_t367 = _t366 &  *_t366;
				 *_t367 =  *_t367 + _t367;
				 *((intOrPtr*)(_t397 - 0x15ed3700)) =  *((intOrPtr*)(_t397 - 0x15ed3700)) + _t367;
				 *_t367 =  *_t367 | _t419;
				_push(ds);
				 *_t367 =  *_t367 & _t367;
				 *_t367 =  *_t367 + _t367;
				 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + _t367;
				 *_t419 =  *_t419 + _t419;
				_t368 = _t367 ^ 0x0000003f;
				 *_t368 =  *_t368 + _t368;
				 *_t368 =  *_t368 + _t368;
				 *_t368 =  *_t368 + 0xffffffe2;
				asm("adc ch, dl");
				 *_t419 =  *_t419 | _t419;
				if( *_t419 == 0) {
					 *_t368 =  *_t368 + _t368;
					 *_t368 =  *_t368 + _t368;
					_t259 = _t368;
					_t368 = _t419;
					asm("sbb [edi], bl");
					_t419 = _t259 &  *_t449;
					_t430 = _t430 - 1;
					 *_t449 =  *_t449 + _t397;
					 *_t368 =  *_t368 & _t368;
					 *_t368 =  *_t368 + _t368;
					 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + _t368;
					 *_t430 =  *_t430 + _t419;
					 *_t430 =  *_t430 & 0x00000000;
					 *_t368 =  *_t368 + 0x2f;
				}
				asm("das");
				asm("adc bl, [edx]");
				 *_t430 =  *_t430 | _t419;
				asm("adc ah, [edx]");
				 *_t368 =  *_t368 + _t368;
				 *_t368 =  *_t368 + _t368;
				 *_t368 =  *_t368 + 0x4c;
				asm("adc bh, [eax]");
				 *_t397 =  *_t397 | _t419;
				 *_t430 = _t463;
				 *_t368 =  *_t368 + _t368;
				 *_t368 =  *_t368 + _t368;
				 *_t368 =  *_t368 + 0x71;
				asm("adc bh, [ecx+0x8]");
				 *_t430 = _t430 +  *_t430;
				 *_t368 =  *_t368 + 0xffffff8e;
				asm("adc ch, [ebx+0x1e004d08]");
				 *_t368 =  *_t368 & _t368;
				 *_t368 =  *_t368 + _t368;
				 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + _t368;
				 *_t449 =  *_t449 + _t419;
				asm("aas");
				 *_t368 =  *_t368 + _t368;
				 *_t368 =  *_t368 + _t368;
				 *_t368 =  *_t368 + 0xffffffec;
				asm("adc ecx, ecx");
				 *_t449 =  *_t449 | _t419;
				asm("pushfd");
				_t369 = _t368 &  *_t368;
				 *_t369 =  *_t369 + _t369;
				 *((intOrPtr*)(_t419 + 0x6e221f18)) =  *((intOrPtr*)(_t419 + 0x6e221f18)) + _t430;
				 *_t437 =  *_t437 + _t419;
				_push(ds);
				 *_t369 =  *_t369 & _t369;
				 *_t369 =  *_t369 + _t369;
				 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + _t369;
				 *_t437 =  *_t437 + _t419;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + 0x26;
				asm("adc al, 0xc9");
				 *_t437 =  *_t437 | _t419;
				asm("int3");
				asm("aas");
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				_t370 = _t449;
				_t398 = _t397 + _t419;
				asm("daa");
				 *_t398 =  *_t398 - _t419;
				_push(_t370);
				_t370[0x10] = _t370 + _t370[0x10];
				 *_t370 = _t370 +  *_t370;
				 *_t370 = _t370 +  *_t370;
				_t371 = _t369;
				asm("daa");
				_t432 =  &(_t430[0]) | _t430[0];
				asm("loopne 0x42");
				 *_t371 =  *_t371 + _t371;
				 *_t371 =  *_t371 + _t371;
				_t400 = _t398 + _t419 + _t419;
				asm("daa");
				 *_t400 = _t419;
				_t373 = _t370 + _t432;
				_t421 =  *_t400 + 1;
				 *_t373 =  *_t373 + _t373;
				 *_t373 =  *_t373 + _t373;
				asm("daa");
				_t375 = _t461;
				 *_t375 =  *_t375 + _t421;
				_t433 = _t432 + 1;
				 *_t375 =  *_t375 + _t375;
				 *_t375 =  *_t375 + _t375;
				_t376 = _t373;
				asm("daa");
				asm("fisttp qword [ebx]");
				 *((intOrPtr*)(_t433 + _t376 * 2)) =  *((intOrPtr*)(_t433 + _t376 * 2)) + 0xb;
				 *_t376 =  *_t376 + _t376;
				 *_t376 =  *_t376 + _t376;
				 *_t437 =  *_t437 + _t433;
				_t378 = _t375 - 0xb + _t421;
				asm("pushfd");
				_t434 = _t433 + 1;
				 *_t378 =  *_t378 + _t378;
				 *_t378 =  *_t378 + _t378;
				asm("daa");
				_t381 = (_t376 | 0x00000060) + _t434;
				 *_t381 =  *_t381 + _t381;
				 *_t381 =  *_t381 + _t381;
				_t457 = _t381;
				 *((intOrPtr*)(_t457 + 0x28)) =  *((intOrPtr*)(_t457 + 0x28)) + _t434;
				_pop(_t407);
				_t383 = _t378 | 0x00000064;
				 *_t383 =  *_t383 + _t383;
				 *_t383 =  *_t383 + _t383;
				 *_t383 =  *_t383 + _t383;
				_t384 = _t457;
				_t458 = _t383;
				 *((intOrPtr*)(_t384 + 0x650c8028)) =  *((intOrPtr*)(_t384 + 0x650c8028)) + _t384;
				 *((intOrPtr*)(_t384 + 0x44)) =  *((intOrPtr*)(_t384 + 0x44)) + _t434;
				 *((intOrPtr*)(_t458 - 0x3ad75a00)) =  *((intOrPtr*)(_t458 - 0x3ad75a00)) + _t434;
				_t385 = _t384 | 0x00000068;
				 *_t458 =  *_t458 + _t407;
				 *_t385 =  *_t385 & _t385;
				 *_t385 =  *_t385 + _t385;
				 *((intOrPtr*)(_t458 - 0x6cf1dae8)) =  *((intOrPtr*)(_t458 - 0x6cf1dae8)) + _t385;
				 *_t421 =  *_t421 + _t421;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + 0xffffffc3;
				asm("adc al, 0x3c");
				_t386 = _t385 + 0x69;
				 *_t458 =  *_t458 + _t407;
				 *_t386 =  *_t386 & _t386;
				 *_t386 =  *_t386 + _t386;
				 *((intOrPtr*)(_t458 - 0x6cf1dae8)) =  *((intOrPtr*)(_t458 - 0x6cf1dae8)) + _t386;
				 *_t434 =  *_t434 + 0x22;
				return _t386;
			}

0x00e6ef01
0x00e6ef01
0x00e6ef01
0x00e6ef06
0x00e6ef0b
0x00e6ef11
0x00e6ef12
0x00e6ef13
0x00e6ef15
0x00e6ef1b
0x00e6ef1f
0x00e6ef21
0x00e6ef23
0x00e6ef25
0x00e6ef27
0x00e6ef2d
0x00e6ef33
0x00e6ef35
0x00e6ef36
0x00e6ef37
0x00e6ef39
0x00e6ef3b
0x00e6ef3c
0x00e6ef3d
0x00e6ef3f
0x00e6ef41
0x00e6ef42
0x00e6ef43
0x00e6ef45
0x00e6ef4d
0x00e6ef4e
0x00e6ef4f
0x00e6ef51
0x00e6ef5a
0x00e6ef5b
0x00e6ef5d
0x00e6ef5f
0x00e6ef60
0x00e6ef61
0x00e6ef63
0x00e6ef69
0x00e6ef6b
0x00e6ef71
0x00e6ef77
0x00e6ef7a
0x00e6ef7e
0x00e6ef7f
0x00e6ef81
0x00e6ef83
0x00e6ef86
0x00e6ef87
0x00e6ef89
0x00e6ef8c
0x00e6ef8d
0x00e6ef8f
0x00e6ef91
0x00e6ef92
0x00e6ef93
0x00e6ef9b
0x00e6ef9e
0x00e6efa4
0x00e6efa5
0x00e6efa7
0x00e6efae
0x00e6efb3
0x00e6efb4
0x00e6efb5
0x00e6efb7
0x00e6efb7
0x00e6efbe
0x00e6efc5
0x00e6efd0
0x00e6efd7
0x00e6efdd
0x00e6efdf
0x00e6efe1
0x00e6efe3
0x00e6efe5
0x00e6efe7
0x00e6efe9
0x00e6efe9
0x00e6efed
0x00e6efef
0x00e6effb
0x00e6f001
0x00e6f007
0x00e6f00d
0x00e6f013
0x00e6f019
0x00e6f01b
0x00e6f01d
0x00e6f020
0x00e6f021
0x00e6f023
0x00e6f027
0x00e6f029
0x00e6f02c
0x00e6f02d
0x00e6f02f
0x00e6f032
0x00e6f033
0x00e6f035
0x00e6f03e
0x00e6f03f
0x00e6f041
0x00e6f043
0x00e6f044
0x00e6f048
0x00e6f049
0x00e6f04b
0x00e6f04d
0x00e6f055
0x00e6f057
0x00e6f059
0x00e6f05f
0x00e6f066
0x00e6f069
0x00e6f06e
0x00e6f06f
0x00e6f071
0x00e6f072
0x00e6f077
0x00e6f080
0x00e6f081
0x00e6f08a
0x00e6f08b
0x00e6f08d
0x00e6f08f
0x00e6f091
0x00e6f096
0x00e6f098
0x00e6f09a
0x00e6f09e
0x00e6f0a0
0x00e6f0a0
0x00e6f0a1
0x00e6f0a4
0x00e6f0a5
0x00e6f0a7
0x00e6f0a9
0x00e6f0ab
0x00e6f0ad
0x00e6f0b3
0x00e6f0b5
0x00e6f0b7
0x00e6f0b9
0x00e6f0bb
0x00e6f0c1
0x00e6f0c7
0x00e6f0c9
0x00e6f0cf
0x00e6f0d1
0x00e6f0d3
0x00e6f0d5
0x00e6f0d7
0x00e6f0dd
0x00e6f0df
0x00e6f0e1
0x00e6f0e3
0x00e6f0e5
0x00e6f0eb
0x00e6f0ed
0x00e6f0ef
0x00e6f0f1
0x00e6f0f3
0x00e6f0f9
0x00e6f0fb
0x00e6f101
0x00e6f107
0x00e6f109
0x00e6f10b
0x00e6f10d
0x00e6f10f
0x00e6f115
0x00e6f117
0x00e6f119
0x00e6f11b
0x00e6f11d
0x00e6f123
0x00e6f125
0x00e6f128
0x00e6f12a
0x00e6f12c
0x00e6f12c
0x00e6f12d
0x00e6f135
0x00e6f136
0x00e6f138
0x00e6f13a
0x00e6f13b
0x00e6f13e
0x00e6f140
0x00e6f147
0x00e6f14d
0x00e6f151
0x00e6f153
0x00e6f155
0x00e6f15b
0x00e6f15e
0x00e6f161
0x00e6f163
0x00e6f169
0x00e6f16c
0x00e6f16d
0x00e6f16f
0x00e6f171
0x00e6f177
0x00e6f17a
0x00e6f17b
0x00e6f17d
0x00e6f17f
0x00e6f185
0x00e6f188
0x00e6f189
0x00e6f18b
0x00e6f18d
0x00e6f193
0x00e6f196
0x00e6f198
0x00e6f19a
0x00e6f19c
0x00e6f19d
0x00e6f19f
0x00e6f1a1
0x00e6f1a4
0x00e6f1a6
0x00e6f1a8
0x00e6f1aa
0x00e6f1aa
0x00e6f1ad
0x00e6f1af
0x00e6f1b5
0x00e6f1b7
0x00e6f1bd
0x00e6f1bf
0x00e6f1c5
0x00e6f1cb
0x00e6f1cd
0x00e6f1cf
0x00e6f1d1
0x00e6f1d3
0x00e6f1d9
0x00e6f1db
0x00e6f1df
0x00e6f1e1
0x00e6f1e7
0x00e6f1e9
0x00e6f1eb
0x00e6f1ed
0x00e6f1ef
0x00e6f1f5
0x00e6f1f7
0x00e6f1ff
0x00e6f204
0x00e6f205
0x00e6f208
0x00e6f20a
0x00e6f20d
0x00e6f210
0x00e6f212
0x00e6f214
0x00e6f219
0x00e6f21f
0x00e6f221
0x00e6f228
0x00e6f229
0x00e6f22c
0x00e6f233
0x00e6f235
0x00e6f23b
0x00e6f241
0x00e6f243
0x00e6f244
0x00e6f245
0x00e6f24b
0x00e6f24d
0x00e6f250
0x00e6f252
0x00e6f252
0x00e6f253
0x00e6f259
0x00e6f25f
0x00e6f265
0x00e6f267
0x00e6f269
0x00e6f26b
0x00e6f26d
0x00e6f273
0x00e6f279
0x00e6f27b
0x00e6f281
0x00e6f287
0x00e6f289
0x00e6f28f
0x00e6f291
0x00e6f294
0x00e6f296
0x00e6f298
0x00e6f29b
0x00e6f29e
0x00e6f2a5
0x00e6f2ab
0x00e6f2b0
0x00e6f2b2
0x00e6f2b4
0x00e6f2b5
0x00e6f2b7
0x00e6f2ba
0x00e6f2bc
0x00e6f2bd
0x00e6f2bf
0x00e6f2c1
0x00e6f2c7
0x00e6f2c9
0x00e6f2cf
0x00e6f2d5
0x00e6f2d7
0x00e6f2d9
0x00e6f2db
0x00e6f2dd
0x00e6f2e3
0x00e6f2e5
0x00e6f2e8
0x00e6f2ea
0x00e6f2ec
0x00e6f2ef
0x00e6f2f4
0x00e6f2f5
0x00e6f2f7
0x00e6f2f9
0x00e6f2ff
0x00e6f301
0x00e6f307
0x00e6f30f
0x00e6f311
0x00e6f313
0x00e6f315
0x00e6f31b
0x00e6f31d
0x00e6f324
0x00e6f327
0x00e6f32c
0x00e6f32d
0x00e6f32f
0x00e6f331
0x00e6f337
0x00e6f33d
0x00e6f33f
0x00e6f345
0x00e6f347
0x00e6f349
0x00e6f34b
0x00e6f34d
0x00e6f353
0x00e6f355
0x00e6f357
0x00e6f359
0x00e6f35b
0x00e6f361
0x00e6f363
0x00e6f369
0x00e6f371
0x00e6f374
0x00e6f376
0x00e6f382
0x00e6f384
0x00e6f387
0x00e6f38e
0x00e6f38f
0x00e6f391
0x00e6f393
0x00e6f399
0x00e6f39b
0x00e6f39d
0x00e6f39f
0x00e6f3a1
0x00e6f3a7
0x00e6f3a9
0x00e6f3ab
0x00e6f3ad
0x00e6f3af
0x00e6f3b5
0x00e6f3b6
0x00e6f3b7
0x00e6f3ba
0x00e6f3bc
0x00e6f3be
0x00e6f3be
0x00e6f3bf
0x00e6f3c2
0x00e6f3c3
0x00e6f3c6
0x00e6f3c8
0x00e6f3ca
0x00e6f3cc
0x00e6f3cd
0x00e6f3d3
0x00e6f3d9
0x00e6f3df
0x00e6f3e5
0x00e6f3e7
0x00e6f3ed
0x00e6f3ef
0x00e6f3f6
0x00e6f3f6
0x00e6f3f7
0x00e6f3f7
0x00e6f3fd
0x00e6f403
0x00e6f409
0x00e6f40c
0x00e6f411
0x00e6f41a
0x00e6f41d
0x00e6f41f
0x00e6f425
0x00e6f429
0x00e6f42b
0x00e6f42d
0x00e6f433
0x00e6f437
0x00e6f439
0x00e6f43b
0x00e6f441
0x00e6f444
0x00e6f445
0x00e6f447
0x00e6f449
0x00e6f44f
0x00e6f452
0x00e6f453
0x00e6f455
0x00e6f457
0x00e6f45d
0x00e6f460
0x00e6f461
0x00e6f463
0x00e6f465
0x00e6f46b
0x00e6f46e
0x00e6f46f
0x00e6f471
0x00e6f473
0x00e6f479
0x00e6f47c
0x00e6f47d
0x00e6f47f
0x00e6f481
0x00e6f487
0x00e6f48a
0x00e6f48b
0x00e6f48d
0x00e6f48f
0x00e6f495
0x00e6f498
0x00e6f49a
0x00e6f49c
0x00e6f49e
0x00e6f4a1
0x00e6f4a3
0x00e6f4a6
0x00e6f4a8
0x00e6f4aa
0x00e6f4ac
0x00e6f4ac
0x00e6f4ad
0x00e6f4af
0x00e6f4b2
0x00e6f4b3
0x00e6f4b5
0x00e6f4b7
0x00e6f4b9
0x00e6f4bf
0x00e6f4c2
0x00e6f4c8
0x00e6f4c8
0x00e6f4ca
0x00e6f4cb
0x00e6f4cd
0x00e6f4d0
0x00e6f4d2
0x00e6f4d4
0x00e6f4d6
0x00e6f4d9
0x00e6f4db
0x00e6f4de
0x00e6f4e0
0x00e6f4e2
0x00e6f4e4
0x00e6f4e7
0x00e6f4eb
0x00e6f4f2
0x00e6f4f5
0x00e6f4fb
0x00e6f4fd
0x00e6f4ff
0x00e6f505
0x00e6f508
0x00e6f50a
0x00e6f50c
0x00e6f50e
0x00e6f511
0x00e6f513
0x00e6f516
0x00e6f517
0x00e6f519
0x00e6f51b
0x00e6f521
0x00e6f524
0x00e6f525
0x00e6f527
0x00e6f529
0x00e6f52f
0x00e6f534
0x00e6f536
0x00e6f538
0x00e6f53b
0x00e6f53d
0x00e6f540
0x00e6f541
0x00e6f542
0x00e6f544
0x00e6f546
0x00e6f547
0x00e6f549
0x00e6f54a
0x00e6f54c
0x00e6f54d
0x00e6f550
0x00e6f552
0x00e6f554
0x00e6f557
0x00e6f559
0x00e6f55c
0x00e6f55e
0x00e6f560
0x00e6f563
0x00e6f565
0x00e6f566
0x00e6f569
0x00e6f56b
0x00e6f56c
0x00e6f56e
0x00e6f573
0x00e6f576
0x00e6f577
0x00e6f579
0x00e6f57a
0x00e6f57c
0x00e6f57e
0x00e6f581
0x00e6f582
0x00e6f585
0x00e6f588
0x00e6f58a
0x00e6f58d
0x00e6f58f
0x00e6f594
0x00e6f595
0x00e6f596
0x00e6f598
0x00e6f59d
0x00e6f5a1
0x00e6f5a4
0x00e6f5a6
0x00e6f5a8
0x00e6f5a9
0x00e6f5ac
0x00e6f5ad
0x00e6f5af
0x00e6f5b2
0x00e6f5b4
0x00e6f5b6
0x00e6f5b6
0x00e6f5b7
0x00e6f5bd
0x00e6f5c3
0x00e6f5c9
0x00e6f5cb
0x00e6f5cd
0x00e6f5cf
0x00e6f5d1
0x00e6f5d7
0x00e6f5dc
0x00e6f5de
0x00e6f5e0
0x00e6f5e3
0x00e6f5e5
0x00e6f5e7
0x00e6f5e9
0x00e6f5eb
0x00e6f5ed
0x00e6f5f3
0x00e6f5f6

Memory Dump Source

Source File: 00000000.00000002.335971981.0000000000DE2000.00000002.00020000.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.335957846.0000000000DE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.336177916.0000000000E7A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65f7ccc334c0601fc0d5c98ee8f82ce7f82658b33a1ae19446d31d288299405
Instruction ID: 63d05e3a5dc2753ef7e0cdd13ae94aa52c6ad14689ca87145d7e767e5053c55f
Opcode Fuzzy Hash: d65f7ccc334c0601fc0d5c98ee8f82ce7f82658b33a1ae19446d31d288299405
Instruction Fuzzy Hash: 2B42DE6154E3D25FD7138B748CB5682BFB0AE1312471E4ADFC0C1CF9A3E258598AC762

Uniqueness

Uniqueness Score: -1.00%

Function 015D04E1, Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.336539843.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361a5cd93f8340991335b07b9b4986d1a4a40936264722a948e914bc22cb29c6
Instruction ID: 7e58a126094c173f8a1f56f40cee05a1b0d5025498ab1b64e93972163329454b
Opcode Fuzzy Hash: 361a5cd93f8340991335b07b9b4986d1a4a40936264722a948e914bc22cb29c6
Instruction Fuzzy Hash: 5FE11731D10A5A8ACB11EBA8D854A9DF3B1FF95300F51CB9AD4097B260FB706AC9CB51

Uniqueness

Uniqueness Score: -1.00%

Function 015D04F0, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.336539843.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ddf51ecb667897ec634106f4bd19b12c17dc360a98c5bd69df50c0ca75c4eac
Instruction ID: 2c80e209a5cf5febd02805dc00d4bf9f1c23a1a0e811ef4bf4b0431a90da76f7
Opcode Fuzzy Hash: 2ddf51ecb667897ec634106f4bd19b12c17dc360a98c5bd69df50c0ca75c4eac
Instruction Fuzzy Hash: 86D10731D20A5A8ACB11EBA4D854A9DF3B1FFD5300F51CB9AD4093B260FB706AC8CB51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 4680 Parent PID: 6380 RegAsm.exeCOMMON

Executed Functions

Function 0100CED0, Relevance: 2.3, APIs: 1, Instructions: 786COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.592313724.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20dce6d346805de9237e350d557d33db0c5290df79b617faf174eff684b84b46
Instruction ID: 296aae0cdf1539f6f62fabf1ee23c678eaf37df16c5e39323e82d65ad49f5138
Opcode Fuzzy Hash: 20dce6d346805de9237e350d557d33db0c5290df79b617faf174eff684b84b46
Instruction Fuzzy Hash: 6C621930E006198FDB65EFB8C8546DEB7F2AF89304F1086A9D549AB354EF309E85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02D1E198, Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.593052827.0000000002D10000.00000040.00000001.sdmp, Offset: 02D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ce54ab21d08d183eabb733d5fc255ed4b9bbe8a2f447d2c10ee745b9ad0389
Instruction ID: edc26d30917769f90558ddc4938100bd9644cb68934ba8c29c6d2f9e1c5cf315
Opcode Fuzzy Hash: 49ce54ab21d08d183eabb733d5fc255ed4b9bbe8a2f447d2c10ee745b9ad0389
Instruction Fuzzy Hash: C8F15930A00209DFDB14DFA9D894B9DBBF2BF88304F558569E809AB7A5DB70EC45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FF27B8, Relevance: 1.7, APIs: 1, Instructions: 204libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF2849

Memory Dump Source

Source File: 00000002.00000002.592280028.0000000000FF0000.00000040.00000001.sdmp, Offset: 00FF0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cdbe237e1ee779484ab8eae91da7fb2b4f76e3bb3e45b7af7c735d81fad58b2b
Instruction ID: b210eadc55ea93cc21a388691fc0aed95cd17af8c546f3f5d136934adb641044
Opcode Fuzzy Hash: cdbe237e1ee779484ab8eae91da7fb2b4f76e3bb3e45b7af7c735d81fad58b2b
Instruction Fuzzy Hash: F6716D31A10309DFDB64DFB4D464BAEB7F6AF84304F108829D542AB3A4DB799C45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02C90A70, Relevance: 7.0, APIs: 4, Instructions: 958libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: f265488a4530cd1ef38a4add49feb5e62b94871cfb3f32567c0614dfe095a9ee
Instruction ID: 64487cc6c482f2220f96ac1d4e0cef04c04fdef51aafa9b7372ab3caf6b83e94
Opcode Fuzzy Hash: f265488a4530cd1ef38a4add49feb5e62b94871cfb3f32567c0614dfe095a9ee
Instruction Fuzzy Hash: 2EA21474A04229CFCB64EB34D8986ADBBB6BF88305F1080EAD54DA3354DB359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90A91, Relevance: 6.6, APIs: 4, Instructions: 631libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 1fdf792d06eac31a140adc9f53a2886ce8250e45be78eab6ba8a5b32f8781f7d
Instruction ID: d577835e9266f3d5b1a6b153e8240f2f1ce2693ce2b7f730488c059c45acb2ff
Opcode Fuzzy Hash: 1fdf792d06eac31a140adc9f53a2886ce8250e45be78eab6ba8a5b32f8781f7d
Instruction Fuzzy Hash: ED520574A04229CFCB25DB34D99869DBBB6BF88206F1080EAD65DA3340DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90AD8, Relevance: 6.6, APIs: 4, Instructions: 622libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 6a8208f099317d2ba70d2504b105a0d90a93197c52ec0e297022ae69ebe36c0a
Instruction ID: 852242d52e8aafb7d5b3ce6d4334eb5d51ea7bce25ca04bed38cecd8833a3078
Opcode Fuzzy Hash: 6a8208f099317d2ba70d2504b105a0d90a93197c52ec0e297022ae69ebe36c0a
Instruction Fuzzy Hash: A1520574A04229CFCB24DB34D99869DBBB6BF88206F1080EAD65DA3340DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90B16, Relevance: 6.6, APIs: 4, Instructions: 617libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 9b57a2d0b8baf32952bdf2ed843a64e95e24faff2e4c5ec2a67f56f9753ca6b9
Instruction ID: c0b3c632c130d489c2f4937b51421e0b2994567f2437de468b906ea1cf0aeb23
Opcode Fuzzy Hash: 9b57a2d0b8baf32952bdf2ed843a64e95e24faff2e4c5ec2a67f56f9753ca6b9
Instruction Fuzzy Hash: 1C520574A04229CFCB24DB74D99869DBBB6BF88206F1080EAD65DA3340DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90B5D, Relevance: 6.6, APIs: 4, Instructions: 610libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: c00ae5988cd2cd1513ecb26161a5483a84161511b3638e5339d51f8d5e9a11b2
Instruction ID: 73c3bca269db715ef7f8d1baf424ab8d213809dd2d9e6f04c7c942e84fcc6b80
Opcode Fuzzy Hash: c00ae5988cd2cd1513ecb26161a5483a84161511b3638e5339d51f8d5e9a11b2
Instruction Fuzzy Hash: BC52F574A04229CFCB24DB74D99869DBBB6BF88206F1080EAD65DA3340DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90BA4, Relevance: 6.6, APIs: 4, Instructions: 603libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 1a65cef9cd1ac24d8fd86ebbd8f19bf2d0f2bbcd75387ab6628fc737b2fc94ee
Instruction ID: b5cf771c45af7454b7571e9b2b90918ef92219427c02de55ffbb83e397077e94
Opcode Fuzzy Hash: 1a65cef9cd1ac24d8fd86ebbd8f19bf2d0f2bbcd75387ab6628fc737b2fc94ee
Instruction Fuzzy Hash: 1752F574A04229CFCB24DB74D99869DBBB6BF88206F1080EAD65DA3340DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90BEB, Relevance: 6.6, APIs: 4, Instructions: 596libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 8237ad1b78751bb0e455076f87c20f38aeb24e8bf2dead13cb3f24a6c895f63a
Instruction ID: 843fc09b7423a41127577ec7ef29b3a881cc25a27f215c5eada2b6649dd7359a
Opcode Fuzzy Hash: 8237ad1b78751bb0e455076f87c20f38aeb24e8bf2dead13cb3f24a6c895f63a
Instruction Fuzzy Hash: DA520574A04229CFCB24DB74D99869DBBB6BF88206F1080EAD65DA3340DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90C32, Relevance: 6.6, APIs: 4, Instructions: 589libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: b65c056ba67ea9e936482d403b8b3901fbfe0e5e819b2f1e0a1153d52f16f88a
Instruction ID: 1f93659c13ec1ca600e973df276ec163132fdd77786e67590e8624914c395bbe
Opcode Fuzzy Hash: b65c056ba67ea9e936482d403b8b3901fbfe0e5e819b2f1e0a1153d52f16f88a
Instruction Fuzzy Hash: 17520574A04269CFCB24DB74D89869DBBB6BF88206F1080EAD65DA3340DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90C79, Relevance: 6.6, APIs: 4, Instructions: 582libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 74e1d1c430419d8d6e73f62dcf411459d7b38d263d9d3673348d4a3687f7a80d
Instruction ID: 1a843a04838b4406b8700deeeb8b152885e09516c50f14bb09b178ad7f191202
Opcode Fuzzy Hash: 74e1d1c430419d8d6e73f62dcf411459d7b38d263d9d3673348d4a3687f7a80d
Instruction Fuzzy Hash: B9420574A04229CFCB24DB74D99869DBBB6BF88206F1080EAD65DA3340DB359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90CC0, Relevance: 6.6, APIs: 4, Instructions: 575libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 037ad3211847a8efd496dbd7be6ca74f5d020d2978befb461d28d6befb88224c
Instruction ID: d690cb1134a22d1117cd10d572bdfb756c0df0e267e5c25bec4d4d45235e2fc6
Opcode Fuzzy Hash: 037ad3211847a8efd496dbd7be6ca74f5d020d2978befb461d28d6befb88224c
Instruction Fuzzy Hash: 80420574A04269CFCB24DB74D89869DBBB6BF88206F1080EAD65DA3340DB359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90D07, Relevance: 6.6, APIs: 4, Instructions: 566libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 46833c6c2969da6813a7d5546ea16ddf02f3d813394ad2e8c2093a3cf631653a
Instruction ID: 1da7ecbe2be29896544333268ec0c6889be7c7243c0a22e57b1ed2ab56855302
Opcode Fuzzy Hash: 46833c6c2969da6813a7d5546ea16ddf02f3d813394ad2e8c2093a3cf631653a
Instruction Fuzzy Hash: 8C420674A04269CFCB24DB74D89869DBBB6BF88206F1080EAD65DA3340DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90D45, Relevance: 6.6, APIs: 4, Instructions: 559libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 21bca5f4558ce5467d055f7493b86cb99220de867dd76c470f71a7bdfc4e0f30
Instruction ID: ec352ff69e4e23f39c7128ab1506c5b7415b8ba20a9a90f01cfb036a013ebf90
Opcode Fuzzy Hash: 21bca5f4558ce5467d055f7493b86cb99220de867dd76c470f71a7bdfc4e0f30
Instruction Fuzzy Hash: 8F420674A04269CFCB24DB74D89869DBBB6BF88206F1080EAD65DA3340DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90D83, Relevance: 6.6, APIs: 4, Instructions: 554libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 79bb3244c23c5ed11b2fd083466b46cb0efeed2c288b9dc059a5f5a2db3bb8b5
Instruction ID: 8de6e07a19affb14b077b54bf36c34296bfc80cb8ce8df4a1ffbd2c2ca9d83b3
Opcode Fuzzy Hash: 79bb3244c23c5ed11b2fd083466b46cb0efeed2c288b9dc059a5f5a2db3bb8b5
Instruction Fuzzy Hash: 75420674A042698FCB24DB74C89869DBBB6AF88206F1080EAD65DA3340DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90DCA, Relevance: 6.5, APIs: 4, Instructions: 547libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 529f479bc5756d9fbfeab023bdf03c820f3f08b56cc688ec299d7749407bc3cd
Instruction ID: a726ae248edc2eb34140bdd1c79353bd703e6040c7cbf7c6c47c28b8bd17da85
Opcode Fuzzy Hash: 529f479bc5756d9fbfeab023bdf03c820f3f08b56cc688ec299d7749407bc3cd
Instruction Fuzzy Hash: 4F420674A042698FCB24DB74D89869DBBB6BF88206F1080EAD65DA3340DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90E11, Relevance: 6.5, APIs: 4, Instructions: 538libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 7ea7f5d926c1957f42d105c47d1478e1ab4d4f71d83de5dba352f9c2ac8ac9d6
Instruction ID: 713056ec9d93944c8954a450038c6d031241b4e88bed9359f1d47d1a94935004
Opcode Fuzzy Hash: 7ea7f5d926c1957f42d105c47d1478e1ab4d4f71d83de5dba352f9c2ac8ac9d6
Instruction Fuzzy Hash: A1320674A042698FCB24DF74D89869DBBB6BF88206F1080EAD65DA3340DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90E4F, Relevance: 6.5, APIs: 4, Instructions: 531libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: dd2c0bf41960cdbc7ee02f55053621cb7798d00083aea344039fc72216a8c2e6
Instruction ID: cef628b3d9a23de6a212b5fa3d9176bef2e65dfbeac5ee3f2ed750690877a0ce
Opcode Fuzzy Hash: dd2c0bf41960cdbc7ee02f55053621cb7798d00083aea344039fc72216a8c2e6
Instruction Fuzzy Hash: 31320774A042698FCB24DF74C89869DBBB6BF88206F1080EAD65DA3344DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90E8D, Relevance: 6.5, APIs: 4, Instructions: 526libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 40300e4afaa28f0a39bb269615968503ba2fb560c7bfbbea74d92fa7b73d2448
Instruction ID: 1f0816d9ddf3e2cf8fd0ceb3effb3062fc50ea0c648a1c07b186da92bf6aa991
Opcode Fuzzy Hash: 40300e4afaa28f0a39bb269615968503ba2fb560c7bfbbea74d92fa7b73d2448
Instruction Fuzzy Hash: 27321774A042698FCB24DF74C89869DBBB6BF88206F1080EAD55DA3344DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90ED4, Relevance: 6.5, APIs: 4, Instructions: 519libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C90EFA
LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 6691f527c22f47d9e056636c1e2e7dc75f2cb9b53012d0e941c3bf988695a6a5
Instruction ID: 15a46c20c1f0d4aa45b49f8e110dffc0a20ce7a035e0557c76da5e97b6d9d44f
Opcode Fuzzy Hash: 6691f527c22f47d9e056636c1e2e7dc75f2cb9b53012d0e941c3bf988695a6a5
Instruction Fuzzy Hash: 98320674A042698FCB24DF74C89869DBBB6BF88206F1480EAD61DA3344DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90F1B, Relevance: 5.0, APIs: 3, Instructions: 512libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 9ee2553a771fe5a0d07329db099c0bf1df7387d2c8f02997fcbf7e09a390c429
Instruction ID: 1454a59b50fdf7cdd2fec37f7d8e757957e16c651e94f168478e3aee1b2d53c3
Opcode Fuzzy Hash: 9ee2553a771fe5a0d07329db099c0bf1df7387d2c8f02997fcbf7e09a390c429
Instruction Fuzzy Hash: 80321774A042298FCB24DF74C8986ADBBB6AF88206F1480EAD51DA3344DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90F62, Relevance: 5.0, APIs: 3, Instructions: 503libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 79ac17be5a74e9286abd580a0261f61f9526176e147ebf2fae084bb94a8f887e
Instruction ID: 57966c3726c67e6f26a4480f9a84b64f0ee29f19feed45bea370b6dbb1a554cf
Opcode Fuzzy Hash: 79ac17be5a74e9286abd580a0261f61f9526176e147ebf2fae084bb94a8f887e
Instruction Fuzzy Hash: 84321874A042298FCB24DF74C8986ADBBB6BF88205F1480E9D51DA3344DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90FA0, Relevance: 5.0, APIs: 3, Instructions: 498libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: e03fe521a77ee0776c294b50f20e1a16e135e88f440fcc2fccd97693ed313168
Instruction ID: e151700684d1b8ec6a57aa9cf8fc899f64d322032643d5380fe694bab82eec33
Opcode Fuzzy Hash: e03fe521a77ee0776c294b50f20e1a16e135e88f440fcc2fccd97693ed313168
Instruction Fuzzy Hash: 49321774A042298FCB24EF74C8986ADBBB6BF88205F1480EAD50DA3340DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90FE7, Relevance: 5.0, APIs: 3, Instructions: 491libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02C91122
KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 30bf32cbaf04742ed1e9b30353c44c63fa9d40dd1c18b0dda727799960b57ac9
Instruction ID: d5271ecefe0d7b8495c55c3ab8da55ec349f70aed48d743f40e169418bc3e971
Opcode Fuzzy Hash: 30bf32cbaf04742ed1e9b30353c44c63fa9d40dd1c18b0dda727799960b57ac9
Instruction Fuzzy Hash: A4220774A042698FCB24DF74C8986ADBBB6BF88205F1480EAD54EA3340DF359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C91445, Relevance: 3.3, APIs: 2, Instructions: 325COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9bd922ca74aa07f89fdce3f45445d88c15c85b698f1d4825982abb976c1750ca
Instruction ID: c7d87bd5d5b06b587015a66b3327a1c32f8810ebceefb4af7b34ce34ff49dd9b
Opcode Fuzzy Hash: 9bd922ca74aa07f89fdce3f45445d88c15c85b698f1d4825982abb976c1750ca
Instruction Fuzzy Hash: 36E12AB4A04219CFCB24DB34C8996ADBBB6AF88206F1480E9D61DA3340DF359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C9148C, Relevance: 3.3, APIs: 2, Instructions: 318COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 39953136dea9e201333e810498c9a3f48daddb087e8efd46b7b6597245a8236b
Instruction ID: d5d60a8c04ffa3913afafee7731b539351ad4f0d4d550e1b5c7fb64573339623
Opcode Fuzzy Hash: 39953136dea9e201333e810498c9a3f48daddb087e8efd46b7b6597245a8236b
Instruction Fuzzy Hash: 56E128B4A04259CFCB24DB34C8996ADBBB6AF88206F1480E9D61DA3340DF359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C914D3, Relevance: 3.3, APIs: 2, Instructions: 311COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c4e13a6a2fff7125d2b6030e5763c05dcec6de265e8f282babc6290e1d3878b8
Instruction ID: d9476ce0e2dacc69c96851a40dc730ff4959f6cda23ee5b53c2efb4576e7268a
Opcode Fuzzy Hash: c4e13a6a2fff7125d2b6030e5763c05dcec6de265e8f282babc6290e1d3878b8
Instruction Fuzzy Hash: 80E129B4A04219CFCB24DF34C9996ADBBB6AF88206F1480E9D61DA3340DF359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C9151D, Relevance: 3.3, APIs: 2, Instructions: 304COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C91546
KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9e781ca872a240292cf2e12dce271ec4c6519fffedbe297fce5329fca3733e95
Instruction ID: 5fb58eb060797a59ecefe8553577eb78787481169353a4e412015ba6cede7de2
Opcode Fuzzy Hash: 9e781ca872a240292cf2e12dce271ec4c6519fffedbe297fce5329fca3733e95
Instruction Fuzzy Hash: EEE119B4A04219CFCB24DB34C8996ADBBB6BF88206F5480E9D61DA3340DF359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C9157D, Relevance: 1.8, APIs: 1, Instructions: 293COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bef4223b695f15751be594db3eda79c49c94ac9dc6e2720c478edf0efa81e7d1
Instruction ID: 233d55436918910826c9b5dcc161d0fee8a6eac8eadddf7129cf8ce97433f3d3
Opcode Fuzzy Hash: bef4223b695f15751be594db3eda79c49c94ac9dc6e2720c478edf0efa81e7d1
Instruction Fuzzy Hash: 31D119B4A04219CFCB24DB34C9896ADBBB6BF88206F5480E9D61DA3340DF359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C915C7, Relevance: 1.8, APIs: 1, Instructions: 286COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 938ae0e8267777342fa0eaf544fd1f995d80cdb3b6142780569d294d05e013d8
Instruction ID: 5a3390b18086c149292a1e0c5f039c9744205b8df0c1fbf8b5b4fad142c5397e
Opcode Fuzzy Hash: 938ae0e8267777342fa0eaf544fd1f995d80cdb3b6142780569d294d05e013d8
Instruction Fuzzy Hash: 63D11AB4A04219CFCB24DB34C9896ADBBB6AF88206F5480E9D61DA3340DF359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C91611, Relevance: 1.8, APIs: 1, Instructions: 279COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7a2de7ad60865763aef0af0122800b8c8113a4059ede6e5af401f1948305e6ea
Instruction ID: a272e3845d63c14a9bfaa0b65d3b9d0b86b9c3ae8f5cbc0b9b1c70a6ffee6615
Opcode Fuzzy Hash: 7a2de7ad60865763aef0af0122800b8c8113a4059ede6e5af401f1948305e6ea
Instruction Fuzzy Hash: E3D12AB4A04219CFCB24DB34C9897ADBBB6AF88206F5480E9D61DA3340DF359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C9165B, Relevance: 1.8, APIs: 1, Instructions: 272COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2bf8533d172e163daff564e70107048fd8c99db83ad6d71b71641109905fd75d
Instruction ID: 168b19fdd5813a29be0c62a969d98b58425c5d35655d90189c8aa6ec8ff50db6
Opcode Fuzzy Hash: 2bf8533d172e163daff564e70107048fd8c99db83ad6d71b71641109905fd75d
Instruction Fuzzy Hash: 48C12AB4A04219CFCB24DB34C9897ADBBB6AF88206F5480E9D61DA3340DF359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C916A5, Relevance: 1.8, APIs: 1, Instructions: 265COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4390cb090cefd0a7f4f0db40537de20237051a580b0c26bce610204a5f124f30
Instruction ID: 927f3c7c3d063f8148e1cdcdc5cc013924ef9e97ae6b3e4481bcb149d4acdcb0
Opcode Fuzzy Hash: 4390cb090cefd0a7f4f0db40537de20237051a580b0c26bce610204a5f124f30
Instruction Fuzzy Hash: A6C12BB4A04219CFCB24DB34C8997ADBBB6AF88206F5480E9D61DA3340DF359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C916EF, Relevance: 1.8, APIs: 1, Instructions: 258COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0a345651c2f22a86f86a1aafc23302734d9dc0f2212a946f58b21cc9a7e460c6
Instruction ID: 2ef4d28eed7c5e5feb8b35b8ee7b308ebccf9408168ea27f1501a3cb2b304656
Opcode Fuzzy Hash: 0a345651c2f22a86f86a1aafc23302734d9dc0f2212a946f58b21cc9a7e460c6
Instruction Fuzzy Hash: DFC13CB4A04219CFCB24DB34C8997ADBBB6AF88206F5480E9D61DA3340DF359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C91739, Relevance: 1.8, APIs: 1, Instructions: 251COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c2bfe6b480513cf02acee1e6aa7cb8e9e81fd26c67ce5723e92cc7f76f01a428
Instruction ID: 032a73f4fd8b773d144708c5c2234e182b0d93ed326e09e8bb4cd60302e2ea47
Opcode Fuzzy Hash: c2bfe6b480513cf02acee1e6aa7cb8e9e81fd26c67ce5723e92cc7f76f01a428
Instruction Fuzzy Hash: F8B14CB4A04219CFCB24DB34C8997ADBBB6AF88205F5480E9D60DA3340DF359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C91783, Relevance: 1.7, APIs: 1, Instructions: 244COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9a407fbb41c5fcd324f7c2091d7dbfe99511c97fa8a0b024be1ce5d43c906c51
Instruction ID: e3c7a0b1abe9f34ff251e0f297cdb0ab57fa5c505579cefe49e5c137a1489bc7
Opcode Fuzzy Hash: 9a407fbb41c5fcd324f7c2091d7dbfe99511c97fa8a0b024be1ce5d43c906c51
Instruction Fuzzy Hash: 6DB12BB4A04229CFCB24DB34C8997ADBBB6AF88205F5480E9D61DA3340DF359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C917CD, Relevance: 1.7, APIs: 1, Instructions: 237COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02C917F6

Memory Dump Source

Source File: 00000002.00000002.593011264.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c1e84beb749cb84c4e7cd4762e2dfd2f7e6e5aec469e697cf147be7a9eabaa40
Instruction ID: 18d339d5957fed63ebfc462654121c88606caaa4349db856c20e6afcea060f13
Opcode Fuzzy Hash: c1e84beb749cb84c4e7cd4762e2dfd2f7e6e5aec469e697cf147be7a9eabaa40
Instruction Fuzzy Hash: 77A14CB4A04229CFCB24DB34C8997ADBBB6AF88205F5480E9D61DA3340DF359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00FF0740, Relevance: 1.7, APIs: 1, Instructions: 174libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF07EF

Memory Dump Source

Source File: 00000002.00000002.592280028.0000000000FF0000.00000040.00000001.sdmp, Offset: 00FF0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3d125cc35979828c00a0d4c5bc1cbad455f8eef37a7e10ecd67d21ba10a0787
Instruction ID: ec9457af781e8277211aecacdc03dbe4fef64d7e2dc66547f883a423afc13cfd
Opcode Fuzzy Hash: c3d125cc35979828c00a0d4c5bc1cbad455f8eef37a7e10ecd67d21ba10a0787
Instruction Fuzzy Hash: FC51D531A002099FCB14EBB4D894AEEB7B6BF84344F148969D545DB3A2EF74DC05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D10B58, Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.593052827.0000000002D10000.00000040.00000001.sdmp, Offset: 02D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdea4c1343129da3b153b92207f82d67d7fff63cab2a0a8c8f024d0a1079405b
Instruction ID: 2581320cfa26022d853c50200c66798eb76a0bc44825346519a6554cc5bfd0a7
Opcode Fuzzy Hash: bdea4c1343129da3b153b92207f82d67d7fff63cab2a0a8c8f024d0a1079405b
Instruction Fuzzy Hash: 16415671D083858FCB01DF75D8106EEBBF0AF89214F1585AED804AB751EB389888CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FFCDE8, Relevance: 1.6, APIs: 1, Instructions: 106registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 00FFCEEC

Memory Dump Source

Source File: 00000002.00000002.592280028.0000000000FF0000.00000040.00000001.sdmp, Offset: 00FF0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5f49e8dcf4f7acdcb0288e86d159963b002183a7d70066022e5c66a5a1b6a42f
Instruction ID: 483b1ea1f52b336f14e64ae20434f8f85e2c20c3b9066b7ca0a71455b3c73489
Opcode Fuzzy Hash: 5f49e8dcf4f7acdcb0288e86d159963b002183a7d70066022e5c66a5a1b6a42f
Instruction Fuzzy Hash: AC4156B0E0424DCFDB00CFA9C548A9EFBF2AF48314F29C16AE508AB351D7759845CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF118C, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00FFD159

Memory Dump Source

Source File: 00000002.00000002.592280028.0000000000FF0000.00000040.00000001.sdmp, Offset: 00FF0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: dd96b21a65ed198fa8290e717cc0952cccec4b1ae29e2e05dcd4cf15bea84999
Instruction ID: 2d6ba5b0c3a4d28662526c85937ed05f8c9900cbacad73aca68c5729e9add75b
Opcode Fuzzy Hash: dd96b21a65ed198fa8290e717cc0952cccec4b1ae29e2e05dcd4cf15bea84999
Instruction Fuzzy Hash: DA31CEB1D0025C9FDB10CF99C884A9EBBF5AF48714F54806AE919AB310D7749909DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD094, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00FFD159

Memory Dump Source

Source File: 00000002.00000002.592280028.0000000000FF0000.00000040.00000001.sdmp, Offset: 00FF0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5a8fbd29946e40981e0f8ee4878ca7b16c6101c69bdb6d1f49ec61602680f899
Instruction ID: 476653358d3607caa88f2bed95434e17a6d0bb1009f8b99e2135422bb7aa9907
Opcode Fuzzy Hash: 5a8fbd29946e40981e0f8ee4878ca7b16c6101c69bdb6d1f49ec61602680f899
Instruction Fuzzy Hash: D141F0B1D002589FDB10CF99C984ADEFBF6AF48714F14806AE819AB310D7749909CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF1180, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 00FFCEEC

Memory Dump Source

Source File: 00000002.00000002.592280028.0000000000FF0000.00000040.00000001.sdmp, Offset: 00FF0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a24c1b0e0a41e38d190311225fd0a5686674fb2e769228efe0ded0f29333a2c6
Instruction ID: 1f727ba9c3c22227f65ea05ac3ad731f1548628df65da8fca0186f4565fed318
Opcode Fuzzy Hash: a24c1b0e0a41e38d190311225fd0a5686674fb2e769228efe0ded0f29333a2c6
Instruction Fuzzy Hash: 1D3110B1D0524C9FCB10CF99C588A9EFFF5BF48304F29816AE909AB351D7B59845CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D11931, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02D119B3

Memory Dump Source

Source File: 00000002.00000002.593052827.0000000002D10000.00000040.00000001.sdmp, Offset: 02D10000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c53645d1b239aec144221b7dfefbfed7ab9a818daa6cfcb959064c36fe22a2a8
Instruction ID: 475f91a4bfa263969b2ee666e21b007b9ad90aea4effed8ef07f902ed2502708
Opcode Fuzzy Hash: c53645d1b239aec144221b7dfefbfed7ab9a818daa6cfcb959064c36fe22a2a8
Instruction Fuzzy Hash: 6C2132B59002099FCB10CF99D844BEEFBF5EB88314F10842AE469A7750DB74A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D11938, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02D119B3

Memory Dump Source

Source File: 00000002.00000002.593052827.0000000002D10000.00000040.00000001.sdmp, Offset: 02D10000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: b2e3de338af6d6bb5c637986061258242c25fb245161625f6f4458755c7bbebe
Instruction ID: 0409008d0c669a7027c607e8f414166252af3b89f7a45cc24958f133c185df19
Opcode Fuzzy Hash: b2e3de338af6d6bb5c637986061258242c25fb245161625f6f4458755c7bbebe
Instruction Fuzzy Hash: A72113B59002099FCB10CF9AD844BEEFBF5EB88314F10842AE469A7750DB74A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D19874, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,02D1A709,00000800), ref: 02D1A79A

Memory Dump Source

Source File: 00000002.00000002.593052827.0000000002D10000.00000040.00000001.sdmp, Offset: 02D10000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2ec737d5369130f49efaf7c3de9f0ddee09e55ba35bca8bb3fecee708914020f
Instruction ID: 890554f54ec3666566b7b44694fdf39114d4e8a7b3153e6dc7e78e2b8e46f47f
Opcode Fuzzy Hash: 2ec737d5369130f49efaf7c3de9f0ddee09e55ba35bca8bb3fecee708914020f
Instruction Fuzzy Hash: 8711E4B69042099FCB10CF9AD444BDEFBF4EF88324F14842AE959A7700D375A946CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D1A728, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,02D1A709,00000800), ref: 02D1A79A

Memory Dump Source

Source File: 00000002.00000002.593052827.0000000002D10000.00000040.00000001.sdmp, Offset: 02D10000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 35eb8c126cf28c871e1aaf5b448b68b1c7dce51dc9697184a8bc51f288da421a
Instruction ID: d710eb8e110544d683eb38d0364ab09bb968120584b4a49e28bcb1707e901e98
Opcode Fuzzy Hash: 35eb8c126cf28c871e1aaf5b448b68b1c7dce51dc9697184a8bc51f288da421a
Instruction Fuzzy Hash: C11114B69002099FCB10CF9AD484ADEFBF4EF89324F14841AE815A7710C375AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D10C40, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 02D10CA7

Memory Dump Source

Source File: 00000002.00000002.593052827.0000000002D10000.00000040.00000001.sdmp, Offset: 02D10000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 2a6a1fa7045231d96b3def1f13edc89bf8396a482d12fd32edb1e7f7f5221f2d
Instruction ID: 32e0e8a48a19ae51544f1e9b6ded0fca066a27f64e98083d0bfc74f9eebb89be
Opcode Fuzzy Hash: 2a6a1fa7045231d96b3def1f13edc89bf8396a482d12fd32edb1e7f7f5221f2d
Instruction Fuzzy Hash: 711112B1C006199FCB00DFAAD444BDEFBB4EF48224F15816AE818A7340E378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 059DF268, Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.597093479.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d615df146f2ecea24e37db5dbc24f9fd5f7e5f9747d02559483cbbe027700612
Instruction ID: b4518a2e44cdccdaef5f7cb6f9cea4be032bc8f02234ba4a6728aa6d9c1a0d92
Opcode Fuzzy Hash: d615df146f2ecea24e37db5dbc24f9fd5f7e5f9747d02559483cbbe027700612
Instruction Fuzzy Hash: E0A19E31A08249DFCF05CFA8C845AEDFFB2FF49350F15816AE906AB261D7349855CB60

Uniqueness

Uniqueness Score: -1.00%

Function 059DFBD8, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.597093479.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2356c127e9aea1bd6c8b32beb1a6e2ff030082473203541c8683f8e9f3f17692
Instruction ID: 6a33b7e89b3bec4d2ef25ee451f95240d7f1f8045d3b8a5f1269d4e2a0061a39
Opcode Fuzzy Hash: 2356c127e9aea1bd6c8b32beb1a6e2ff030082473203541c8683f8e9f3f17692
Instruction Fuzzy Hash: 2E617C75E007498FDF11CFA9C541AAEFBF6AF8A300F24865AD806AB241D770A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 059DFBC8, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.597093479.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15266c2b2ec7e02dfce0188afee72fe76810a6b63a82a7ca381ec3f86048095b
Instruction ID: 86041280f143c297fdf7aa859d0164a8857c7c9313006e33a21a5ffe06057095
Opcode Fuzzy Hash: 15266c2b2ec7e02dfce0188afee72fe76810a6b63a82a7ca381ec3f86048095b
Instruction Fuzzy Hash: A0518D75E047898FCF11CFA5C541AEDFBF6BF8A300F24865AE806AB241D770A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 059DF3BB, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.597093479.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd9a760381518dd66d691c88582d80a7033cc7c966cad526d53391a1fdde35e
Instruction ID: 27a5c2d2d27c1ec0f9cee96e719cf69ac01d15e8998c4b82b4eb8d7588dd8095
Opcode Fuzzy Hash: 1bd9a760381518dd66d691c88582d80a7033cc7c966cad526d53391a1fdde35e
Instruction Fuzzy Hash: F6418F35A08249DFCF11CFA4C885AADFFB2BF49350F05C165E956AB261D330E954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 059DFE30, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.597093479.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323aad23a2693e86a16504c66721a08e32e2b84baf5061673460dc23e0fac407
Instruction ID: c5b6ad7f99d5db32088fc6630c6a13b4c320ab51cdd7f89a2a035729aae1bb86
Opcode Fuzzy Hash: 323aad23a2693e86a16504c66721a08e32e2b84baf5061673460dc23e0fac407
Instruction Fuzzy Hash: 6A212631F043649BCB25AB7494153BFFAA2AB84704F01C82AC917E7781DBB449058BF2

Uniqueness

Uniqueness Score: -1.00%

Function 059DF4A0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.597093479.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0bd289b774436af21c9434f955c76581d7af10a21c8f9652b99cf0b2748cf3f
Instruction ID: 2b5caf36f78040a468c16e2721d010fd603f1a520097017b8f4749f54c921b66
Opcode Fuzzy Hash: c0bd289b774436af21c9434f955c76581d7af10a21c8f9652b99cf0b2748cf3f
Instruction Fuzzy Hash: 6B11D331A042069BCF10CF68C886B6EFBA6AF85390F15C695D51AAB2A5D371F81087B4

Uniqueness

Uniqueness Score: -1.00%

Function 059DFF78, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.597093479.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 294a0501e756f9bb1407c6cab78101562a9c848b53fba6f88a4d4da40f418e04
Instruction ID: 59995a55cdd19af347242b1b4bb3751baf52f58bbe1ec619919871ce6d789d2a
Opcode Fuzzy Hash: 294a0501e756f9bb1407c6cab78101562a9c848b53fba6f88a4d4da40f418e04
Instruction Fuzzy Hash: 9EE0EDB0D083499FC790DFB9C51669EFFF0AF45214F2089BEC056E6641E77445068F91

Uniqueness

Uniqueness Score: -1.00%

Function 059DFF88, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.597093479.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf9204e89e63df57ca125d5a1995f61aaa23a1b47e5d2a2c52f2bb604786a769
Instruction ID: 49fd5b14601a6a0d8bfe9ff4d7406bb25557c8fc771e3e5a73bb5159a935b44e
Opcode Fuzzy Hash: cf9204e89e63df57ca125d5a1995f61aaa23a1b47e5d2a2c52f2bb604786a769
Instruction Fuzzy Hash: F1E0ECB0D042099EC780EFA8C41579EFFF0BB04304F10896AC016E6241EB7446058FA1

Uniqueness

Uniqueness Score: -1.00%

Function 059DFF30, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.597093479.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075b80e39848e3bb7724c72dfac85c5f1ac6ad5f2b18a8bc36fdcd0f03c10d60
Instruction ID: 9dbbefa1b9235b393a27be5ea7f423e129b5c045276c9c2accb757f4b8589a89
Opcode Fuzzy Hash: 075b80e39848e3bb7724c72dfac85c5f1ac6ad5f2b18a8bc36fdcd0f03c10d60
Instruction Fuzzy Hash: 25E0ECB0D0420A9ED740EFA8840539EFAF0AB04340F1088698015E6241EBB446408FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Pagamento.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Statistics

CPU Usage

Function 00E6EF01, Relevance: .6, Instructions: 639
COMMONCrypto

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre