Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.PackedNET.461.20928.18265

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.PackedNET.461.20928.18265 (renamed file extension from 18265 to exe)
Analysis ID:321286
MD5:0daef62b8a4b65f7ce2021e21941e32e
SHA1:f7151675eca0e8523ed49af966c2d794b058517e
SHA256:d859634791d000b01f18b3e4edc144cfb67ad9983f39d771f18ca2a4d749323b
Tags:AgentTesla

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
.NET source code contains very large array initializations
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.PackedNET.461.20928.exe (PID: 488 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exe' MD5: 0DAEF62B8A4B65F7CE2021E21941E32E)
    • RegAsm.exe (PID: 5912 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "=0AzrlsA", "URL: ": "https://2IzKMJMMUb1a8c.org", "To: ": "kurumsal@onurturizm.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "=0AZGzYhj", "From: ": "kurumsal@onurturizm.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.244849667.0000000001161000.00000004.00000020.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000002.493036568.0000000002CE5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.493036568.0000000002CE5000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.SecuriteInfo.com.Trojan.PackedNET.461.20928.exe.55a0000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: RegAsm connects to smtp portShow sources
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 5912, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49742

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus / Scanner detection for submitted sampleShow sources
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exeAvira: detected
                Found malware configurationShow sources
                Source: RegAsm.exe.5912.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "=0AzrlsA", "URL: ": "https://2IzKMJMMUb1a8c.org", "To: ": "kurumsal@onurturizm.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "=0AZGzYhj", "From: ": "kurumsal@onurturizm.com"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exeVirustotal: Detection: 51%Perma Link
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exeReversingLabs: Detection: 52%
                Machine Learning detection for sampleShow sources
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exeJoe Sandbox ML: detected
                Source: 1.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                Networking:

                barindex
                May check the online IP address of the machineShow sources
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: global trafficTCP traffic: 192.168.2.3:49742 -> 77.88.21.158:587
                Source: Joe Sandbox ViewIP Address: 23.21.42.25 23.21.42.25
                Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: global trafficTCP traffic: 192.168.2.3:49742 -> 77.88.21.158:587
                Source: unknownDNS traffic detected: queries for: api.ipify.org
                Source: RegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: RegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                Source: RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                Source: RegAsm.exe, 00000001.00000002.499365269.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.c
                Source: RegAsm.exe, 00000001.00000002.499365269.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: RegAsm.exe, 00000001.00000002.499365269.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
                Source: RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                Source: RegAsm.exe, 00000001.00000002.499365269.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                Source: RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer0
                Source: RegAsm.exe, 00000001.00000002.499365269.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                Source: RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                Source: RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpString found in binary or memory: http://repository.certuqN
                Source: RegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: RegAsm.exe, 00000001.00000002.495319989.0000000002F49000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                Source: RegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpString found in binary or memory: http://soEqfW.com
                Source: RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                Source: RegAsm.exe, 00000001.00000002.499365269.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                Source: RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                Source: RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                Source: RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                Source: RegAsm.exe, 00000001.00000002.493036568.0000000002CE5000.00000004.00000001.sdmpString found in binary or memory: https://2IzKMJMMUb1a8c.org
                Source: RegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
                Source: RegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
                Source: RegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exe, 00000000.00000002.246909828.0000000004A46000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.489442244.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                Source: RegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exeString found in binary or memory: https://login.microsoftonline.com
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exeString found in binary or memory: https://management.azure.com/
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exeString found in binary or memory: https://management.azure.com/Chttps://login.microsoftonline.com
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exeString found in binary or memory: https://management.azure.com/subscriptions/
                Source: RegAsm.exe, 00000001.00000002.499365269.0000000005D8F000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exe, 00000000.00000002.246909828.0000000004A46000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.489442244.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: RegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443

                System Summary:

                barindex
                .NET source code contains very large array initializationsShow sources
                Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.461.20928.exe.55a0000.1.unpack, u003cPrivateImplementationDetailsu003eu007b000E0224u002dE7FBu002d4BDCu002d869Cu002dCEF787A7DB42u007d/FFA3786Du002dF28Fu002d4271u002dA717u002d789CC5D404E8.csLarge array initialization: .cctor: array initializer size 11990
                Source: 1.2.RegAsm.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b000E0224u002dE7FBu002d4BDCu002d869Cu002dCEF787A7DB42u007d/FFA3786Du002dF28Fu002d4271u002dA717u002d789CC5D404E8.csLarge array initialization: .cctor: array initializer size 11990
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeCode function: 0_2_05591C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_05591C09
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeCode function: 0_2_055900AD NtOpenSection,NtMapViewOfSection,0_2_055900AD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeCode function: 0_2_013404F00_2_013404F0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeCode function: 0_2_013404DF0_2_013404DF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02A548281_2_02A54828
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02A5D6411_2_02A5D641
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D99E241_3_05D99E24
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exe, 00000000.00000002.248442795.00000000058B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTRfQkqvqtOZekgSP.bounce.exe4 vs SecuriteInfo.com.Trojan.PackedNET.461.20928.exe
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exe, 00000000.00000002.248660874.00000000060D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.PackedNET.461.20928.exe
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exe, 00000000.00000002.246909828.0000000004A46000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNtKGGboDuyquYDTscBefUWs.exe4 vs SecuriteInfo.com.Trojan.PackedNET.461.20928.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.461.20928.exe.55a0000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.461.20928.exe.55a0000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 1.2.RegAsm.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 1.2.RegAsm.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@4/2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.PackedNET.461.20928.exe.logJump to behavior
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exeVirustotal: Detection: 51%
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exeReversingLabs: Detection: 52%
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exe'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeCode function: 0_2_01344B63 pushfd ; ret 0_2_01344B79
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeCode function: 0_2_01344AC0 push eax; ret 0_2_01344AC1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeCode function: 0_2_01345D78 pushfd ; iretd 0_2_01345D79
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D9EBD5 push esp; ret 1_3_05D9EB83
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D975E9 push edx; ret 1_3_05D975EA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D97392 push esp; ret 1_3_05D97393
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D997AA push ss; ret 1_3_05D997AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D9EBAD push ecx; ret 1_3_05D9EB5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D975A2 push ss; ret 1_3_05D975A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D9C35B pushad ; ret 1_3_05D9C361
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D9C34B push eax; ret 1_3_05D9C351
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05DA1D62 push ebp; ret 1_3_05DA1D63
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D9C363 push 6805D9C3h; ret 1_3_05D9C36D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D97119 push edx; ret 1_3_05D9711A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D9271F pushfd ; ret 1_3_05D92923
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D9EB38 push ecx; ret 1_3_05D9EB5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D97329 push edx; ret 1_3_05D9732A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D97CC9 push edx; ret 1_3_05D97CCA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D978A9 push edx; ret 1_3_05D978AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05D9EC50 push es; ret 1_3_05D9ED13
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_3_05DA3623 push edi; iretd 1_3_05DA3624
                Source: initial sampleStatic PE information: section name: .text entropy: 7.8686198737
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 575Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exe TID: 5776Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5880Thread sleep count: 219 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5880Thread sleep count: 575 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -59814s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -58906s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -58688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -58500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -86721s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -86391s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -57406s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -84750s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -56094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -55406s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -82782s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -55000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -54814s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -54314s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -81141s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -53906s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -53688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -79500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -79221s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -52594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -77859s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -51500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -51314s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -76221s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -75891s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -50406s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -74250s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -49314s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -49094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -72609s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -48188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -48000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -47814s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -47314s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -70641s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -46906s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -46688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -46000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -68721s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -67359s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -67032s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -43814s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -43594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -43406s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -42500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -42314s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -62109s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -40314s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -39314s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -39000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -58221s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -38594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -38406s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -37906s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -37688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -37500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -37314s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -37094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -36814s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -36594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -36406s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -36188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -35814s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -35500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -52971s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -35094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -34906s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -34688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -34406s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -34188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -33814s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -33594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -33314s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -32906s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -32688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -32500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -32314s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -47721s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -31594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -31406s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -31188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -30906s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -30688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -30500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -30314s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -30094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -42471s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -37221s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -56906s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -56688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -55814s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -55594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -54500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -53188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -52314s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -52094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -51688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -51000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -49906s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -49688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -48814s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -48594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -47500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -46406s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -46188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -45500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -45094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -44406s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -42906s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -40906s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -40688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5876Thread sleep time: -40500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exe, 00000000.00000002.248660874.00000000060D0000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.498756338.0000000005C50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exe, 00000000.00000002.248660874.00000000060D0000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.498756338.0000000005C50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exe, 00000000.00000002.248660874.00000000060D0000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.498756338.0000000005C50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: RegAsm.exe, 00000001.00000003.439093676.0000000005D67000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll697071727374757677787980818283848586878889909192939495969798100..MappingStrings
                Source: SecuriteInfo.com.Trojan.PackedNET.461.20928.exe, 00000000.00000002.248660874.00000000060D0000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.498756338.0000000005C50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeCode function: 0_2_055901CB mov eax, dword ptr fs:[00000030h]0_2_055901CB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeCode function: 0_2_055900AD mov ecx, dword ptr fs:[00000030h]0_2_055900AD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeCode function: 0_2_055900AD mov eax, dword ptr fs:[00000030h]0_2_055900AD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Maps a DLL or memory area into another processShow sources
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regionsShow sources
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 93D008Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: RegAsm.exe, 00000001.00000002.492195027.0000000001280000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: RegAsm.exe, 00000001.00000002.492195027.0000000001280000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: RegAsm.exe, 00000001.00000002.492195027.0000000001280000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: RegAsm.exe, 00000001.00000002.492195027.0000000001280000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 00000000.00000002.244849667.0000000001161000.00000004.00000020.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.493036568.0000000002CE5000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.489442244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.246909828.0000000004A46000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.248059193.00000000055A2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5912, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.461.20928.exe PID: 488, type: MEMORY
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.PackedNET.461.20928.exe.55a0000.1.unpack, type: UNPACKEDPE
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: Yara matchFile source: 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.493036568.0000000002CE5000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5912, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 00000000.00000002.244849667.0000000001161000.00000004.00000020.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.493036568.0000000002CE5000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.489442244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.246909828.0000000004A46000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.248059193.00000000055A2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5912, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.461.20928.exe PID: 488, type: MEMORY
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.PackedNET.461.20928.exe.55a0000.1.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection212Deobfuscate/Decode Files or Information1Credentials in Registry1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSecurity Software Discovery111SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSVirtualization/Sandbox Evasion13Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion13DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection212Proc FilesystemSystem Network Configuration Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SecuriteInfo.com.Trojan.PackedNET.461.20928.exe51%VirustotalBrowse
                SecuriteInfo.com.Trojan.PackedNET.461.20928.exe52%ReversingLabsWin32.Trojan.Ymacco
                SecuriteInfo.com.Trojan.PackedNET.461.20928.exe100%AviraTR/AD.AgentTesla.fqgqw
                SecuriteInfo.com.Trojan.PackedNET.461.20928.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                1.2.RegAsm.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                0.2.SecuriteInfo.com.Trojan.PackedNET.461.20928.exe.55a0000.1.unpack100%AviraHEUR/AGEN.1138205Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://2IzKMJMMUb1a8c.org0%Avira URL Cloudsafe
                http://yandex.ocsp-responder.com030%URL Reputationsafe
                http://yandex.ocsp-responder.com030%URL Reputationsafe
                http://yandex.ocsp-responder.com030%URL Reputationsafe
                http://yandex.ocsp-responder.com030%URL Reputationsafe
                https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                http://subca.ocsp-certum.com0.0%URL Reputationsafe
                http://subca.ocsp-certum.com0.0%URL Reputationsafe
                http://subca.ocsp-certum.com0.0%URL Reputationsafe
                http://subca.ocsp-certum.com0.0%URL Reputationsafe
                http://subca.ocsp-certum.com010%URL Reputationsafe
                http://subca.ocsp-certum.com010%URL Reputationsafe
                http://subca.ocsp-certum.com010%URL Reputationsafe
                http://subca.ocsp-certum.com010%URL Reputationsafe
                http://repository.certuqN0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://soEqfW.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                elb097307-934924932.us-east-1.elb.amazonaws.com
                		23.21.42.25
                		truefalse
                  		high
                  smtp.yandex.ru
                  		77.88.21.158
                  		truefalse
                    		high
                    smtp.yandex.com
                    		unknown
                    		unknownfalse
                      		high
                      api.ipify.org
                      		unknown
                      		unknownfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/RegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpfalse
                          		high
                          http://127.0.0.1:HTTP/1.1RegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://DynDns.comDynDNSRegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://repository.certum.pl/ctnca.cer09RegAsm.exe, 00000001.00000002.499365269.0000000005D8F000.00000004.00000001.sdmpfalse
                            		high
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://crl.certum.pl/ctnca.crl0kRegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpfalse
                              		high
                              https://2IzKMJMMUb1a8c.orgRegAsm.exe, 00000001.00000002.493036568.0000000002CE5000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://yandex.crl.certum.pl/ycasha2.crl0qRegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpfalse
                                		high
                                https://www.certum.pl/CPS0RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpfalse
                                  		high
                                  http://smtp.yandex.comRegAsm.exe, 00000001.00000002.495319989.0000000002F49000.00000004.00000001.sdmpfalse
                                    		high
                                    http://yandex.ocsp-responder.com03RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ipify.orgGETMozilla/5.0RegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://subca.ocsp-certum.com0.RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://management.azure.com/Chttps://login.microsoftonline.comSecuriteInfo.com.Trojan.PackedNET.461.20928.exefalse
                                      		high
                                      http://repository.certum.pl/ca.cer09RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpfalse
                                        		high
                                        https://api.ipify.orgRegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpfalse
                                          		high
                                          http://repository.certum.pl/ctnca.cer0RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpfalse
                                            		high
                                            https://login.microsoftonline.comSecuriteInfo.com.Trojan.PackedNET.461.20928.exefalse
                                              		high
                                              https://management.azure.com/subscriptions/SecuriteInfo.com.Trojan.PackedNET.461.20928.exefalse
                                                		high
                                                http://crls.yandex.net/certum/ycasha2.crl0-RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://api.telegram.org/bot%telegramapi%/SecuriteInfo.com.Trojan.PackedNET.461.20928.exe, 00000000.00000002.246909828.0000000004A46000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.489442244.0000000000402000.00000040.00000001.sdmpfalse
                                                    		high
                                                    http://subca.ocsp-certum.com01RegAsm.exe, 00000001.00000002.499365269.0000000005D8F000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://management.azure.com/SecuriteInfo.com.Trojan.PackedNET.461.20928.exefalse
                                                      		high
                                                      http://repository.certuqNRegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://crl.certum.pl/ca.crl0hRegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://secure.comodo.com/CPS0RegAsm.exe, 00000001.00000002.499365269.0000000005D8F000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xRegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSecuriteInfo.com.Trojan.PackedNET.461.20928.exe, 00000000.00000002.246909828.0000000004A46000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.489442244.0000000000402000.00000040.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.certum.pl/CPS0RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://soEqfW.comRegAsm.exe, 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://repository.certum.pl/ycasha2.cer0RegAsm.exe, 00000001.00000002.499239848.0000000005D40000.00000004.00000001.sdmpfalse
                                                                  		high

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  23.21.42.25
                                                                  		unknownUnited States
                                                                  		14618AMAZON-AESUSfalse
                                                                  77.88.21.158
                                                                  		unknownRussian Federation
                                                                  		13238YANDEXRUfalse

                                                                  General Information

                                                                  Joe Sandbox Version:31.0.0 Red Diamond
                                                                  Analysis ID:321286
                                                                  Start date:20.11.2020
                                                                  Start time:19:25:18
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 8m 9s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Sample file name:SecuriteInfo.com.Trojan.PackedNET.461.20928.18265 (renamed file extension from 18265 to exe)
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:23
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@3/2@4/2
                                                                  EGA Information:Failed
                                                                  HDC Information:
                                                                  • Successful, ratio: 0.8% (good quality ratio 0.4%)
                                                                  • Quality average: 36.1%
                                                                  • Quality standard deviation: 39.1%
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 15
                                                                  • Number of non-executed functions: 2
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                  • Excluded IPs from analysis (whitelisted): 52.255.188.83, 13.88.21.125, 23.210.248.85, 51.104.139.180, 20.54.26.129, 8.253.95.120, 8.248.147.254, 8.248.119.254, 8.241.121.126, 8.248.115.254, 92.122.213.194, 92.122.213.247
                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  19:26:30API Interceptor821x Sleep call for process: RegAsm.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  23.21.42.25908.exeGet hashmaliciousBrowse
                                                                  • api.ipify.org/
                                                                  0Oen62zpot.exeGet hashmaliciousBrowse
                                                                  • api.ipify.org/
                                                                  Catalogue.exeGet hashmaliciousBrowse
                                                                  • api.ipify.org/
                                                                  zMhsjuuCLk.exeGet hashmaliciousBrowse
                                                                  • api.ipify.org/
                                                                  77.88.21.158CdmgSj4BO8.exeGet hashmaliciousBrowse
                                                                    rURZ9qp1cE.exeGet hashmaliciousBrowse
                                                                      kaeHibiTa3.exeGet hashmaliciousBrowse
                                                                        ZBldmfU3KWpJB3r.exeGet hashmaliciousBrowse
                                                                          RFQs.xlsmGet hashmaliciousBrowse
                                                                            nnab.exeGet hashmaliciousBrowse
                                                                              Purchase Order903882772.exeGet hashmaliciousBrowse
                                                                                6266715850.xlsxGet hashmaliciousBrowse
                                                                                  Request for Quotation Commercial Offer and Official PriceList for 2020.exeGet hashmaliciousBrowse
                                                                                    cL6qhldO7O.exeGet hashmaliciousBrowse
                                                                                      PSR002330 - DURSTONE CADE S L.xlsxGet hashmaliciousBrowse
                                                                                        SWIFT.exeGet hashmaliciousBrowse
                                                                                          c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                                            MD6J6Opim9.exeGet hashmaliciousBrowse
                                                                                              New Business Inquiry Request for Quotation (MOQ and Payment Delivery Terms and Ports).exeGet hashmaliciousBrowse
                                                                                                ZYJY-2020110010 Uruguay packing list &nbsp Zhongyuan.exeGet hashmaliciousBrowse
                                                                                                  PI.exeGet hashmaliciousBrowse
                                                                                                    Gy0RBDCf7b.exeGet hashmaliciousBrowse
                                                                                                      y56pQ944uR.exeGet hashmaliciousBrowse
                                                                                                        mQZgYDbf6K.exeGet hashmaliciousBrowse

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          smtp.yandex.ruCdmgSj4BO8.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          rURZ9qp1cE.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          kaeHibiTa3.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          ZBldmfU3KWpJB3r.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          RFQs.xlsmGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          nnab.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          Purchase Order903882772.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          Proof Of Payment...Absa.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          6266715850.xlsxGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          Request for Quotation Commercial Offer and Official PriceList for 2020.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          cL6qhldO7O.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          PSR002330 - DURSTONE CADE S L.xlsxGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          SWIFT.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          MD6J6Opim9.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          New Business Inquiry Request for Quotation (MOQ and Payment Delivery Terms and Ports).exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          ZYJY-2020110010 Uruguay packing list &nbsp Zhongyuan.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          PI.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          Gy0RBDCf7b.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          Xz5t2YlvYP.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          elb097307-934924932.us-east-1.elb.amazonaws.comDefender-update-kit-x86x64.exeGet hashmaliciousBrowse
                                                                                                          • 54.225.153.147
                                                                                                          https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-usGet hashmaliciousBrowse
                                                                                                          • 54.225.66.103
                                                                                                          ORDER.exeGet hashmaliciousBrowse
                                                                                                          • 54.235.142.93
                                                                                                          Bill # 2.xlsxGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          PO1.xlsxGet hashmaliciousBrowse
                                                                                                          • 174.129.214.20
                                                                                                          a7UZzCVWKO.exeGet hashmaliciousBrowse
                                                                                                          • 54.204.14.42
                                                                                                          QKLQkaCe9M.exeGet hashmaliciousBrowse
                                                                                                          • 50.19.252.36
                                                                                                          sAPuJAvs52.exeGet hashmaliciousBrowse
                                                                                                          • 54.243.161.145
                                                                                                          JlgyVmPWZr.exeGet hashmaliciousBrowse
                                                                                                          • 174.129.214.20
                                                                                                          EIUOzWW2JX.exeGet hashmaliciousBrowse
                                                                                                          • 174.129.214.20
                                                                                                          RVAgYSH2qh.exeGet hashmaliciousBrowse
                                                                                                          • 54.235.142.93
                                                                                                          yCyc4rN0u8.exeGet hashmaliciousBrowse
                                                                                                          • 54.235.83.248
                                                                                                          9cXAnovmQX.exeGet hashmaliciousBrowse
                                                                                                          • 54.225.66.103
                                                                                                          T2HDck1Mmy.exeGet hashmaliciousBrowse
                                                                                                          • 54.235.142.93
                                                                                                          Purchase Order.exeGet hashmaliciousBrowse
                                                                                                          • 54.225.66.103
                                                                                                          Payment Advice Note from 19.11.2020.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.126.66
                                                                                                          phy__1__31629__2649094674__1605642612.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.126.66
                                                                                                          BBVA confirming Aviso de pago Eur5780201120.exeGet hashmaliciousBrowse
                                                                                                          • 54.204.14.42
                                                                                                          Ejgvvuwuu8.exeGet hashmaliciousBrowse
                                                                                                          • 54.225.169.28
                                                                                                          PO N0.1500243224._PDF.exeGet hashmaliciousBrowse
                                                                                                          • 54.204.14.42

                                                                                                          ASN

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          YANDEXRUCdmgSj4BO8.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          rURZ9qp1cE.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          kaeHibiTa3.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          ZBldmfU3KWpJB3r.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          RFQs.xlsmGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          nnab.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          Purchase Order903882772.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          6266715850.xlsxGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          Request for Quotation Commercial Offer and Official PriceList for 2020.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          cL6qhldO7O.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          PSR002330 - DURSTONE CADE S L.xlsxGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          SWIFT.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          MD6J6Opim9.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          New Business Inquiry Request for Quotation (MOQ and Payment Delivery Terms and Ports).exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          ZYJY-2020110010 Uruguay packing list &nbsp Zhongyuan.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          PI.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          Gy0RBDCf7b.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          y56pQ944uR.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          mQZgYDbf6K.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          AMAZON-AESUSDefender-update-kit-x86x64.exeGet hashmaliciousBrowse
                                                                                                          • 54.225.153.147
                                                                                                          https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-usGet hashmaliciousBrowse
                                                                                                          • 54.225.66.103
                                                                                                          ORDER.exeGet hashmaliciousBrowse
                                                                                                          • 54.235.142.93
                                                                                                          http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1Get hashmaliciousBrowse
                                                                                                          • 52.1.99.77
                                                                                                          Bill # 2.xlsxGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          https://ubereats.app.link/cwmLFZfMz5?%243p=a_custom_354088&%24deeplink_path=promo%2Fapply%3FpromoCode%3DRECONFORT7&%24desktop_url=tracking.spectrumemp.com/el?aid=8feeb968-bdd0-11e8-b27f-22000be0a14e&rid=50048635&pid=285843&cid=513&dest=overlordscan.com/cmV0by5tZXR6bGVyQGlzb2x1dGlvbnMuY2g=%23#kkowfocjoyuynaip#Get hashmaliciousBrowse
                                                                                                          • 35.170.181.205
                                                                                                          BANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                                                                                          • 107.22.223.163
                                                                                                          PO1.xlsxGet hashmaliciousBrowse
                                                                                                          • 174.129.214.20
                                                                                                          https://rebrand.ly/zkp0yGet hashmaliciousBrowse
                                                                                                          • 54.227.164.140
                                                                                                          AccountStatements.htmlGet hashmaliciousBrowse
                                                                                                          • 18.209.113.162
                                                                                                          a7UZzCVWKO.exeGet hashmaliciousBrowse
                                                                                                          • 54.204.14.42
                                                                                                          QKLQkaCe9M.exeGet hashmaliciousBrowse
                                                                                                          • 50.19.252.36
                                                                                                          sAPuJAvs52.exeGet hashmaliciousBrowse
                                                                                                          • 54.243.161.145
                                                                                                          JlgyVmPWZr.exeGet hashmaliciousBrowse
                                                                                                          • 174.129.214.20
                                                                                                          EIUOzWW2JX.exeGet hashmaliciousBrowse
                                                                                                          • 174.129.214.20
                                                                                                          RVAgYSH2qh.exeGet hashmaliciousBrowse
                                                                                                          • 54.235.142.93
                                                                                                          yCyc4rN0u8.exeGet hashmaliciousBrowse
                                                                                                          • 54.235.83.248
                                                                                                          9cXAnovmQX.exeGet hashmaliciousBrowse
                                                                                                          • 54.225.66.103
                                                                                                          T2HDck1Mmy.exeGet hashmaliciousBrowse
                                                                                                          • 54.235.142.93
                                                                                                          Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                                          • 52.71.133.130

                                                                                                          JA3 Fingerprints

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          3b5074b1b5d032e5620f69f9f700ff0eARjQJiNmBs.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          1piS4PBvBp.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          ORDER.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          a7UZzCVWKO.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          QKLQkaCe9M.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          sAPuJAvs52.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          JlgyVmPWZr.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          EIUOzWW2JX.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          yCyc4rN0u8.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          9cXAnovmQX.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          T2HDck1Mmy.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          Payment Advice Note from 19.11.2020.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          PO N0.1500243224._PDF.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          zRHI9DJ0YKIPfBX.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          chib(1).exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          dede.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          obi(1).exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          frc(1).exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          knitted yarn documents.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25
                                                                                                          ano.exeGet hashmaliciousBrowse
                                                                                                          • 23.21.42.25

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.PackedNET.461.20928.exe.log
                                                                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):315
                                                                                                          Entropy (8bit):5.350410246151501
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:Q3La/xwcE73FKDLIP12MUAvvr3tDLIP12MUAvvR+uTL2LDY3U21v:Q3La/hg1KDLI4M9tDLI4MWuPk21v
                                                                                                          MD5:EE0BB4B63A030A0BF7087CB0AEBD07BC
                                                                                                          SHA1:9A4ADFB6336E22D49503B4B99FFC25A7882AE202
                                                                                                          SHA-256:6CBBAF20B7871B931A8A0B1D54890DC0E6C9ED78E7DEC5E2AB2F6D12DF349DFF
                                                                                                          SHA-512:47644A669A15A83D0BAA1F801BB34E36B1F8FE700E5C7A4396D684FE85AFFF6B32F511AEDD0E304DB48383E04A5044CA1B313D559737F5CD967CC00F8FDFC38B
                                                                                                          Malicious:true
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..
                                                                                                          C:\Users\user\AppData\Roaming\2algnkt3.aiu\Chrome\Default\Cookies
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                          Category:dropped
                                                                                                          Size (bytes):20480
                                                                                                          Entropy (8bit):0.6970840431455908
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                                          MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                                          SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                                          SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                                          SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                                          Malicious:false
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Entropy (8bit):7.864453649536543
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                          File name:SecuriteInfo.com.Trojan.PackedNET.461.20928.exe
                                                                                                          File size:586240
                                                                                                          MD5:0daef62b8a4b65f7ce2021e21941e32e
                                                                                                          SHA1:f7151675eca0e8523ed49af966c2d794b058517e
                                                                                                          SHA256:d859634791d000b01f18b3e4edc144cfb67ad9983f39d771f18ca2a4d749323b
                                                                                                          SHA512:413e1b44433e4c190a9dc7a29e715fb56756cb109f2a9680ad19f364805dba3587fc18aa682fd31103637358bcc3212e3c4ace2000617270d30abe31d8c88762
                                                                                                          SSDEEP:12288:lULVIwRue80CaPOYfBQolH/tEvoii6QxFhICiULqyBP9DA8JHKRDT:Ur180Ca2kBfB1EAii3FhILUXBlDA8tKR
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|.._................................. ... ....@.. .......................`............@................................

                                                                                                          File Icon

                                                                                                          Icon Hash:00828e8e8686b000

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x49080e
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                          Time Stamp:0x5FB4EA7C [Wed Nov 18 09:33:48 2020 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:v4.0.30319
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          jmp dword ptr [00402000h]
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x907bc0x4f.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x920000x242.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000xc.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x20000x8e8140x8ea00False0.935190827673SysEx File - Kurzweil/Future Retro Bank 1, Channel 97.8686198737IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0x920000x2420x400False0.3076171875data3.56273769009IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x940000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                          RT_MANIFEST0x920580x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          mscoree.dll_CorExeMain

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Nov 20, 2020 19:27:50.564285994 CET49740443192.168.2.323.21.42.25
                                                                                                          Nov 20, 2020 19:27:50.666688919 CET4434974023.21.42.25192.168.2.3
                                                                                                          Nov 20, 2020 19:27:50.666794062 CET49740443192.168.2.323.21.42.25
                                                                                                          Nov 20, 2020 19:27:50.705985069 CET49740443192.168.2.323.21.42.25
                                                                                                          Nov 20, 2020 19:27:50.808331013 CET4434974023.21.42.25192.168.2.3
                                                                                                          Nov 20, 2020 19:27:50.808360100 CET4434974023.21.42.25192.168.2.3
                                                                                                          Nov 20, 2020 19:27:50.808373928 CET4434974023.21.42.25192.168.2.3
                                                                                                          Nov 20, 2020 19:27:50.808386087 CET4434974023.21.42.25192.168.2.3
                                                                                                          Nov 20, 2020 19:27:50.808402061 CET4434974023.21.42.25192.168.2.3
                                                                                                          Nov 20, 2020 19:27:50.808476925 CET49740443192.168.2.323.21.42.25
                                                                                                          Nov 20, 2020 19:27:50.808545113 CET49740443192.168.2.323.21.42.25
                                                                                                          Nov 20, 2020 19:27:50.809530973 CET4434974023.21.42.25192.168.2.3
                                                                                                          Nov 20, 2020 19:27:50.858505011 CET49740443192.168.2.323.21.42.25
                                                                                                          Nov 20, 2020 19:27:50.961071014 CET4434974023.21.42.25192.168.2.3
                                                                                                          Nov 20, 2020 19:27:51.004965067 CET49740443192.168.2.323.21.42.25
                                                                                                          Nov 20, 2020 19:27:51.676534891 CET49740443192.168.2.323.21.42.25
                                                                                                          Nov 20, 2020 19:27:51.820050955 CET4434974023.21.42.25192.168.2.3
                                                                                                          Nov 20, 2020 19:27:52.083458900 CET4434974023.21.42.25192.168.2.3
                                                                                                          Nov 20, 2020 19:27:52.130053043 CET49740443192.168.2.323.21.42.25
                                                                                                          Nov 20, 2020 19:27:58.382222891 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:58.435096025 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:58.435312033 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:58.574459076 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:58.575035095 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:58.627809048 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:58.627840996 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:58.628179073 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:58.681076050 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:58.681808949 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:58.736090899 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:58.736134052 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:58.736150980 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:58.736164093 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:58.736346006 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:58.781280994 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:58.834579945 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:58.850642920 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:58.903578997 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:58.905662060 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:58.958583117 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:58.959599018 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:59.029395103 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:59.030926943 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:59.093538046 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:59.093965054 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:59.150490999 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:59.151074886 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:59.203895092 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:59.205261946 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:59.205394983 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:59.205503941 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:59.205594063 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:27:59.258128881 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:27:59.258172989 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:00.158128977 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:00.208794117 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.045981884 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.099844933 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.099869013 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.107911110 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.111928940 CET49742587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.112834930 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.164813995 CET5874974277.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.167136908 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.170943022 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.300329924 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.300682068 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.354933023 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.354954004 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.355289936 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.409542084 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.410200119 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.465679884 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.465708017 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.465719938 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.465733051 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.465833902 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.470885992 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.525501966 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.528270006 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.582700968 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.583427906 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.637752056 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.638557911 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.736917019 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.805296898 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.805823088 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.860151052 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.871032953 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.871562958 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.932570934 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.933108091 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.987540960 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:01.989283085 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.989430904 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.989531040 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.989633083 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.989804983 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.989907026 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.989984035 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:01.990058899 CET49743587192.168.2.377.88.21.158
                                                                                                          Nov 20, 2020 19:28:02.043713093 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:02.043749094 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:02.043922901 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:02.044020891 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:02.084888935 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:02.700890064 CET5874974377.88.21.158192.168.2.3
                                                                                                          Nov 20, 2020 19:28:02.755878925 CET49743587192.168.2.377.88.21.158

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Nov 20, 2020 19:26:09.126458883 CET5319553192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:26:09.153629065 CET53531958.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:26:10.941152096 CET5014153192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:26:10.968161106 CET53501418.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:26:11.726533890 CET5302353192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:26:11.762157917 CET53530238.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:26:13.240852118 CET4956353192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:26:13.268037081 CET53495638.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:26:14.097101927 CET5135253192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:26:14.124253988 CET53513528.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:26:15.263859987 CET5934953192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:26:15.290884018 CET53593498.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:26:16.464489937 CET5708453192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:26:16.491749048 CET53570848.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:26:17.558891058 CET5882353192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:26:17.586014986 CET53588238.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:26:36.424998999 CET5756853192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:26:36.465370893 CET53575688.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:26:37.404459953 CET5054053192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:26:37.431592941 CET53505408.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:26:53.655304909 CET5436653192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:26:53.682466030 CET53543668.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:26:57.386756897 CET5303453192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:26:57.424304008 CET53530348.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:27:11.445118904 CET5776253192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:27:11.472172976 CET53577628.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:27:15.825259924 CET5543553192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:27:15.862520933 CET53554358.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:27:48.603758097 CET5071353192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:27:48.630809069 CET53507138.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:27:50.072036028 CET5613253192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:27:50.099030972 CET53561328.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:27:50.115535021 CET5898753192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:27:50.142608881 CET53589878.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:27:54.529968023 CET5657953192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:27:54.565705061 CET53565798.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:27:58.301122904 CET6063353192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:27:58.336817980 CET53606338.8.8.8192.168.2.3
                                                                                                          Nov 20, 2020 19:27:58.344650030 CET6129253192.168.2.38.8.8.8
                                                                                                          Nov 20, 2020 19:27:58.380335093 CET53612928.8.8.8192.168.2.3

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                          Nov 20, 2020 19:27:50.072036028 CET192.168.2.38.8.8.80xc48aStandard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.115535021 CET192.168.2.38.8.8.80xa752Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:58.301122904 CET192.168.2.38.8.8.80x5c2bStandard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:58.344650030 CET192.168.2.38.8.8.80xb5c2Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                          Nov 20, 2020 19:27:50.099030972 CET8.8.8.8192.168.2.30xc48aNo error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.099030972 CET8.8.8.8192.168.2.30xc48aNo error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.099030972 CET8.8.8.8192.168.2.30xc48aNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.42.25A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.099030972 CET8.8.8.8192.168.2.30xc48aNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.252.36A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.099030972 CET8.8.8.8192.168.2.30xc48aNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.252.4A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.099030972 CET8.8.8.8192.168.2.30xc48aNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.204.14.42A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.099030972 CET8.8.8.8192.168.2.30xc48aNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.169.28A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.099030972 CET8.8.8.8192.168.2.30xc48aNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.83.248A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.099030972 CET8.8.8.8192.168.2.30xc48aNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.182.194A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.099030972 CET8.8.8.8192.168.2.30xc48aNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.164.148A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.142608881 CET8.8.8.8192.168.2.30xa752No error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.142608881 CET8.8.8.8192.168.2.30xa752No error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.142608881 CET8.8.8.8192.168.2.30xa752No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.66.103A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.142608881 CET8.8.8.8192.168.2.30xa752No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.161.145A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.142608881 CET8.8.8.8192.168.2.30xa752No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.169.28A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.142608881 CET8.8.8.8192.168.2.30xa752No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com184.73.247.141A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.142608881 CET8.8.8.8192.168.2.30xa752No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.83.248A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.142608881 CET8.8.8.8192.168.2.30xa752No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.252.36A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.142608881 CET8.8.8.8192.168.2.30xa752No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.164.148A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:50.142608881 CET8.8.8.8192.168.2.30xa752No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.42.25A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:58.336817980 CET8.8.8.8192.168.2.30x5c2bNo error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:58.336817980 CET8.8.8.8192.168.2.30x5c2bNo error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:58.380335093 CET8.8.8.8192.168.2.30xb5c2No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                                                          Nov 20, 2020 19:27:58.380335093 CET8.8.8.8192.168.2.30xb5c2No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)

                                                                                                          HTTPS Packets

                                                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                          Nov 20, 2020 19:27:50.809530973 CET23.21.42.25443192.168.2.349740CN=*.ipify.org, OU=PositiveSSL Wildcard, OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBWed Jan 24 01:00:00 CET 2018 Wed Feb 12 01:00:00 CET 2014 Tue Jan 19 01:00:00 CET 2010Sun Jan 24 00:59:59 CET 2021 Mon Feb 12 00:59:59 CET 2029 Tue Jan 19 00:59:59 CET 2038771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                          CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBWed Feb 12 01:00:00 CET 2014Mon Feb 12 00:59:59 CET 2029
                                                                                                          CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Jan 19 01:00:00 CET 2010Tue Jan 19 00:59:59 CET 2038

                                                                                                          SMTP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                          Nov 20, 2020 19:27:58.574459076 CET5874974277.88.21.158192.168.2.3220 iva4-bca95d3b11b1.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
                                                                                                          Nov 20, 2020 19:27:58.575035095 CET49742587192.168.2.377.88.21.158EHLO 287400
                                                                                                          Nov 20, 2020 19:27:58.627840996 CET5874974277.88.21.158192.168.2.3250-iva4-bca95d3b11b1.qloud-c.yandex.net
                                                                                                          250-8BITMIME
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 42991616
                                                                                                          250-STARTTLS
                                                                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                          250-DSN
                                                                                                          250 ENHANCEDSTATUSCODES
                                                                                                          Nov 20, 2020 19:27:58.628179073 CET49742587192.168.2.377.88.21.158STARTTLS
                                                                                                          Nov 20, 2020 19:27:58.681076050 CET5874974277.88.21.158192.168.2.3220 Go ahead
                                                                                                          Nov 20, 2020 19:28:01.300329924 CET5874974377.88.21.158192.168.2.3220 vla5-47b3f4751bc4.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
                                                                                                          Nov 20, 2020 19:28:01.300682068 CET49743587192.168.2.377.88.21.158EHLO 287400
                                                                                                          Nov 20, 2020 19:28:01.354954004 CET5874974377.88.21.158192.168.2.3250-vla5-47b3f4751bc4.qloud-c.yandex.net
                                                                                                          250-8BITMIME
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 42991616
                                                                                                          250-STARTTLS
                                                                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                          250-DSN
                                                                                                          250 ENHANCEDSTATUSCODES
                                                                                                          Nov 20, 2020 19:28:01.355289936 CET49743587192.168.2.377.88.21.158STARTTLS
                                                                                                          Nov 20, 2020 19:28:01.409542084 CET5874974377.88.21.158192.168.2.3220 Go ahead

                                                                                                          Code Manipulations

                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          Analysis Process: SecuriteInfo.com.Trojan.PackedNET.461.20928.exe PID: 488 Parent PID: 5552

                                                                                                          General

                                                                                                          Start time:19:26:14
                                                                                                          Start date:20/11/2020
                                                                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.461.20928.exe'
                                                                                                          Imagebase:0xa50000
                                                                                                          File size:586240 bytes
                                                                                                          MD5 hash:0DAEF62B8A4B65F7CE2021E21941E32E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.244849667.0000000001161000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.246909828.0000000004A46000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.248059193.00000000055A2000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          Reputation:low

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: RegAsm.exe PID: 5912 Parent PID: 488

                                                                                                          General

                                                                                                          Start time:19:26:21
                                                                                                          Start date:20/11/2020
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          Imagebase:0x7d0000
                                                                                                          File size:64616 bytes
                                                                                                          MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.492905850.0000000002C91000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.493036568.0000000002CE5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.493036568.0000000002CE5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.489442244.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          Reputation:moderate

                                                                                                          Chronological Activities

                                                                                                          Disassembly

                                                                                                          Code Analysis

                                                                                                          Reset < >

                                                                                                            Analysis Process: SecuriteInfo.com.Trojan.PackedNET.461.20928.exe PID: 488 Parent PID: 5552 SecuriteInfo.com.Trojan.PackedNET.461.20928.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Function 055901CB, Relevance: 517.4, Strings: 413, Instructions: 1134COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.248012672.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Section$OpenView
                                                                                                            • String ID: .dll$.dll$.dll$2.dl$2.dl$2.dl$2.dl$32.d$Begi$Clas$CoCr$CoIn$Cont$Cont$Crea$Crea$Crea$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$DefW$EndP$Ex$ExW$Expa$File$Fill$Find$Free$GetM$GetP$GetS$Hash$Inst$IsWo$KERNEL32.DLL$Key$Key$KeyP$LdrG$LdrL$Libr$Load$Load$Lock$Memo$Mess$Mess$Muta$NtAd$NtAl$NtCl$NtCo$NtCr$NtCr$NtCr$NtCr$NtCr$NtDe$NtEn$NtFr$NtGe$NtMa$NtOp$NtOp$NtOp$NtOp$NtOp$NtOp$NtPr$NtQu$NtQu$NtQu$NtQu$NtQu$NtRe$NtRe$NtRe$NtSe$NtSe$NtTe$NtWr$NtWr$Ole3$Para$Post$Priv$Proc$Quit$Rect$Regi$Reso$Reso$Reso$Reso$RtlC$RtlC$RtlC$RtlF$RtlS$RtlZ$Sect$Show$Size$Thre$Thre$Thre$Thre$Tran$User$User$W$W$Wind$ZwCr$ZwRo$ZwUn$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Ole$\adv$\ker$\ntd$\use$a$ad$ad$ad$adEx$adFi$adVi$age$ageB$aint$alMe$alue$ance$ansa$api3$aryA$ash$at$ateH$ateK$ateP$ath$cW$ce$cess$cess$ckTr$ctio$ctio$ddre$ddre$dll$dll$dll$dvap$eA$eFil$eNam$ePro$eUse$eUse$ead$ease$eate$eate$eate$eate$eate$eate$eate$ecti$ecti$eeVi$emor$en$en$enFi$enKe$enMu$enPr$enPr$enSe$erne$eroM$eryI$eryI$eryS$eryS$eryV$esTo$ess$et$etCu$etPr$ext$extW$ey$ey$fSec$hDat$i32.$iewO$ile$ileg$indo$ings$ion$ion$irtu$iteF$iteV$itia$iveK$just$ken$kernel32.dll$l$l$l$l$l32.$lMem$lMem$lMem$layE$le$le$le$le32$lenW$lize$ll$ll$ll$ll.d$llba$loca$ls32$ls32$ls32$ls32$ls32$ls\O$ls\a$ls\k$ls\n$ls\u$lstr$mInf$mInf$mapV$mati$mati$mbstowcs$memc$mems$mete$mory$mp$n$n$nPai$ndEn$ndow$nel3$nfor$nfor$nmen$nsac$nt$nt$ntin$o$oadD$oced$oces$oces$oces$oces$odul$ofRe$ombs$on$on$onFi$onPr$orma$orma$ory$ory$ory$ose$otec$ow$oxA$pVie$py$py$r32.$rPro$rThr$reat$reat$reat$rent$rmin$rocA$roce$roce$rren$rs$rtua$rtua$rtua$ry$rypt$s$s$sTok$sW$sW$sact$ser3$sour$ss$ss$ss$ss$ster$strlenuser32.dlladvapi32.dll$sume$tAcq$tCon$tCon$tCre$tCur$tDec$tDer$tDes$tDes$tHas$tRel$tStr$tTra$tVal$tVir$tant$tdll$teMu$tePr$teVi$teWi$texW$text$text$tion$tion$tion$tion$troy$troy$tual$ue$ueKe$uire$umer$urce$urce$urce$urce$ureA$viro$w64P$wOfS$wPro$wcsc$wcsc$wcsc$wcsl$wcst$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$xecu$y$y$y$yste$yste
                                                                                                            • API String ID: 2380476227-789266925
                                                                                                            • Opcode ID: c194c161092c18b131e039ca3b66cc3a3cccb98f9a19bdd52842cff60dc8cd3f
                                                                                                            • Instruction ID: b9820c25a8489b96454d9315c6da06201e942913ca703db317198b90c88995cd
                                                                                                            • Opcode Fuzzy Hash: c194c161092c18b131e039ca3b66cc3a3cccb98f9a19bdd52842cff60dc8cd3f
                                                                                                            • Instruction Fuzzy Hash: F4D2B0B1C0526D8ACF21DFA18D89BCEBBB8BF55700F1081DAD148AB215EB359B84CF55
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 05591C09, Relevance: 15.2, APIs: 10, Instructions: 225nativethreadprocessCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 05591CB7
                                                                                                            • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 05591CDC
                                                                                                            • NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 05591CF6
                                                                                                            • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 05591D41
                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 05591D66
                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 05591DA9
                                                                                                            • NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 05591E36
                                                                                                            • NtGetContextThread.NTDLL(?,?), ref: 05591E50
                                                                                                            • NtSetContextThread.NTDLL(?,00010007), ref: 05591E74
                                                                                                            • NtResumeThread.NTDLL(?,00000000), ref: 05591E86
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.248012672.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: SectionThread$ContextCreateMemoryProcessViewVirtual$InformationQueryReadResumeWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3307612235-0
                                                                                                            • Opcode ID: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
                                                                                                            • Instruction ID: fff44f4ed1f2771a5623510856157b1091db3390ede4b741c46c8c9c7d5c1f6b
                                                                                                            • Opcode Fuzzy Hash: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
                                                                                                            • Instruction Fuzzy Hash: BB91E571900659AFDF21DFA5CC89EEEBBB8FF89705F004055FA09EA150D735AA44CB60
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 055900AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • NtOpenSection.NTDLL(?,0000000C,?), ref: 05590199
                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 055901B8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.248012672.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Section$OpenView
                                                                                                            • String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
                                                                                                            • API String ID: 2380476227-2634024955
                                                                                                            • Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
                                                                                                            • Instruction ID: 3d4a6570f12fdb5e1471747d3d7acbe5d0a6eec4b04d82389d6bdbb1091df1c9
                                                                                                            • Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
                                                                                                            • Instruction Fuzzy Hash: CF3137B1E00259EFCB14CFE4C985ADEBBB8FF08750F10455AE514EB250E778AA05CBA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01349280, Relevance: 1.5, APIs: 1, Instructions: 234memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 01349508
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.244959184.0000000001340000.00000040.00000001.sdmp, Offset: 01340000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: f2963530ec781b91cb7271df78ac817f195a3c4787d45ddc2ef9ef71ef3ced66
                                                                                                            • Instruction ID: a31c2aa76aad7bc7ef3676b78b9bff8d1bced7058eb4a74f2588ab533bb7eedd
                                                                                                            • Opcode Fuzzy Hash: f2963530ec781b91cb7271df78ac817f195a3c4787d45ddc2ef9ef71ef3ced66
                                                                                                            • Instruction Fuzzy Hash: D981F271B042058FCB10DBB8C8947AFBBE5AF89318F158969D519DB381CB35EC06CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 013494A0, Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 01349508
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.244959184.0000000001340000.00000040.00000001.sdmp, Offset: 01340000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: 58f1777892da627e405c4ca7d702ea0df185e75802b818690af8eaa513864800
                                                                                                            • Instruction ID: de5893bdafe148508aeb75d94f92c4dc3254b1604eeea7f2aad8761ddf3ef69d
                                                                                                            • Opcode Fuzzy Hash: 58f1777892da627e405c4ca7d702ea0df185e75802b818690af8eaa513864800
                                                                                                            • Instruction Fuzzy Hash: B81116759002089FCB10DF9AC844BDFFBF4EB88324F248419E519A7210C775A944CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Function 013404DF, Relevance: .3, Instructions: 270COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.244959184.0000000001340000.00000040.00000001.sdmp, Offset: 01340000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 548a8c74758fb5f16aeb87247cab2a1377630fb799ab4453ad9ea484a3a440fd
                                                                                                            • Instruction ID: f891f764627fd9a8f26700724e202095e7fd829fba94589bca4a6563b5e62714
                                                                                                            • Opcode Fuzzy Hash: 548a8c74758fb5f16aeb87247cab2a1377630fb799ab4453ad9ea484a3a440fd
                                                                                                            • Instruction Fuzzy Hash: AFD10831C20A5A8ACB11EBA4C8A0ADDB775FF95300F50CB9AD5497B214FB716AC5CF81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 013404F0, Relevance: .3, Instructions: 264COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.244959184.0000000001340000.00000040.00000001.sdmp, Offset: 01340000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bf647ef56592cf982f8744408f134a573bacc7184d2ab5a5185d40a8f0bfd0c4
                                                                                                            • Instruction ID: 447ae5429971ede7b6a5396edb16fe5a8c437ef6fb88bede6c8018816411fb03
                                                                                                            • Opcode Fuzzy Hash: bf647ef56592cf982f8744408f134a573bacc7184d2ab5a5185d40a8f0bfd0c4
                                                                                                            • Instruction Fuzzy Hash: 95D1E731C20A5A8ACB10EBA4C9A0ADDB775FF95300F50CB9AD5497B214FB716AC5CF81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Analysis Process: RegAsm.exe PID: 5912 Parent PID: 488 RegAsm.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Function 02A56B7F, Relevance: 6.1, APIs: 4, Instructions: 144threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 02A56C10
                                                                                                            • GetCurrentThread.KERNEL32 ref: 02A56C4D
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 02A56C8A
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02A56CE3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.492682843.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: b2da8156531df58f338c746cdda34c90d28863c58c352ef466ad6f1f301e2e21
                                                                                                            • Instruction ID: 150e25d7a68daf521a67815416c2786a690dc9a815cc1b7eef0da2f2e2ddde50
                                                                                                            • Opcode Fuzzy Hash: b2da8156531df58f338c746cdda34c90d28863c58c352ef466ad6f1f301e2e21
                                                                                                            • Instruction Fuzzy Hash: 9651AAB0A042988FCB10CFA9CA887DEBFF4FF49318F24859EE448A7251DB345844CB25
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A56BB0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 02A56C10
                                                                                                            • GetCurrentThread.KERNEL32 ref: 02A56C4D
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 02A56C8A
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02A56CE3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.492682843.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: ba7f7453974753684f0a89d65a2ba165122c468744504a8ebf902e4778123bee
                                                                                                            • Instruction ID: 56bea1b0afa9c343b31b9125918a3f092bfdd45d83c7577147c613274652466f
                                                                                                            • Opcode Fuzzy Hash: ba7f7453974753684f0a89d65a2ba165122c468744504a8ebf902e4778123bee
                                                                                                            • Instruction Fuzzy Hash: 445157B0A006588FDB14CFA9CA487DEBBF5FF48318F208599E809A7350DB346844CF65
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A551E5, Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A55302
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.492682843.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: 6a74baf326807afa2a8b134a6b73e5d3d447da1359f90151933a4309420849d1
                                                                                                            • Instruction ID: 57ca4728661d15638033185c3ba5ecf615351774988d0cbb1fb53c92452b4e45
                                                                                                            • Opcode Fuzzy Hash: 6a74baf326807afa2a8b134a6b73e5d3d447da1359f90151933a4309420849d1
                                                                                                            • Instruction Fuzzy Hash: 6651DFB1D10319DFDF14CF99C894ADEBBB5BF48314F64812AE819AB210D7B49845CF90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A551F0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A55302
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.492682843.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: b17fbd6659766b7e5331aaf19a369c56bd59a1a633bcd92fcd36e6e2bec08c29
                                                                                                            • Instruction ID: 5c0120c75f42a2d8db3f1df8beabc62d2d24f35292c38635c7e6b4f351c5640e
                                                                                                            • Opcode Fuzzy Hash: b17fbd6659766b7e5331aaf19a369c56bd59a1a633bcd92fcd36e6e2bec08c29
                                                                                                            • Instruction Fuzzy Hash: 4541C0B1D00319DFDF14CF99C894ADEBBB5BF88314F64812AE819AB210D7749845CF90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A569C4, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 02A57D61
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.492682843.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CallProcWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2714655100-0
                                                                                                            • Opcode ID: e090528cc341954f314a1745d567b7078d14040daa0c524f72ee3147d81f26fe
                                                                                                            • Instruction ID: 8b2998c5b19186a58bfc6f6d136cd5821d87f67b2abd9d5c27b25f46ada42ae8
                                                                                                            • Opcode Fuzzy Hash: e090528cc341954f314a1745d567b7078d14040daa0c524f72ee3147d81f26fe
                                                                                                            • Instruction Fuzzy Hash: 9A4107B5A007198FCB14CF59C888AABFBF5FF88314F248499E919A7351D774A941CFA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A56DD1, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A56E5F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.492682843.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 429d566e3942595acb4b117e19b4b035558524829df74b9ad0c0203151174c14
                                                                                                            • Instruction ID: 11d0425420e0cf98fd46153ae0c5d67542ebd2d7d3ca04920de559d17780fbfc
                                                                                                            • Opcode Fuzzy Hash: 429d566e3942595acb4b117e19b4b035558524829df74b9ad0c0203151174c14
                                                                                                            • Instruction Fuzzy Hash: 0E21E2B59002599FDB10CFA9D884AEEBBF4FB48324F24845AE914A3310D778A955CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A56DD8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A56E5F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.492682843.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 629ba4f80062502a56a36fa07583fad183af6c5a4a5e48744c062a2fa053999a
                                                                                                            • Instruction ID: 604acf0572dd205d6c3fe320dd2caeb94e54f93e34aa044eacd5f5c15c9ca81c
                                                                                                            • Opcode Fuzzy Hash: 629ba4f80062502a56a36fa07583fad183af6c5a4a5e48744c062a2fa053999a
                                                                                                            • Instruction Fuzzy Hash: 8B21D5B59002599FDB10CFA9D984ADEFBF8FB48314F14841AE914A3310D774A954CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A5BDD8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 02A5BE52
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.492682843.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: EncodePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 2118026453-0
                                                                                                            • Opcode ID: 3363af094edc69683a500a95594efa0468c3b2d08db3a1d354fd459322c56fb1
                                                                                                            • Instruction ID: 2dc2d16db3578f700d8a622deea80d2eb67a85e2a7afc0d8eb08582be4921022
                                                                                                            • Opcode Fuzzy Hash: 3363af094edc69683a500a95594efa0468c3b2d08db3a1d354fd459322c56fb1
                                                                                                            • Instruction Fuzzy Hash: 821167B19003598FDB10DFAAD9487DFBBF4FB44319F24882AD905A3644DB39A509CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A52F8C, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 02A54276
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.492682843.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: 80dc5d70a3b7d74338fec39592f4937df9f050eb1eab21f3dc507a0ee55675ab
                                                                                                            • Instruction ID: 817a131a2911aab48a2283d0ba0047c97ea69e34bf89addd67894e9ae77182a8
                                                                                                            • Opcode Fuzzy Hash: 80dc5d70a3b7d74338fec39592f4937df9f050eb1eab21f3dc507a0ee55675ab
                                                                                                            • Instruction Fuzzy Hash: 8F1132B1D006698FCB10CF9AC444BDFFBF4EB88214F10851AD829B7600D375A545CFA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A5420C, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 02A54276
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.492682843.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: 4b0392bda29388abbaa80e133764cf0a152331d323d8fd741c8679d85bd3cf3d
                                                                                                            • Instruction ID: 02c2c7f0d7dc7f008836e2086f71ec4185c5433f24211d3e194acaeedf951f8c
                                                                                                            • Opcode Fuzzy Hash: 4b0392bda29388abbaa80e133764cf0a152331d323d8fd741c8679d85bd3cf3d
                                                                                                            • Instruction Fuzzy Hash: 1D110FB6D002598FCB10CF9AC584BDEFBF4EF88214F21855AD829B7600D374A54ACFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions