Loading ...

Play interactive tourEdit tour

Analysis Report FAKTURA I RACHUNKI.exe

Overview

General Information

Sample Name:FAKTURA I RACHUNKI.exe
Analysis ID:383950
MD5:ac62ebbbf6ec96f48a8cca64793bf8fb
SHA1:c1e10d41d090cb7d0505b46a1b48f3f533aa6aad
SHA256:5708e5be9ec5564f3f16b38f87b0c7a0178274ed580a8566e31a995a80e353bb
Tags:GuLoader
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • FAKTURA I RACHUNKI.exe (PID: 5744 cmdline: 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe' MD5: AC62EBBBF6EC96F48A8CCA64793BF8FB)
    • RegAsm.exe (PID: 5584 cmdline: 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 5612 cmdline: 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "JrBJv6DyR8", "URL: ": "http://KeXrtgodXUi1h.com", "To: ": "syndic8@yandex.com", "ByHost: ": "mail.brimaq.com:587", "Password: ": "UXB9CyQFuVvwdgx", "From: ": "jaen@brimaq.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.608367607.0000000000F81000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 5612JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 5612JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 78.128.8.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 5612, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49751

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: RegAsm.exe.5612.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "JrBJv6DyR8", "URL: ": "http://KeXrtgodXUi1h.com", "To: ": "syndic8@yandex.com", "ByHost: ": "mail.brimaq.com:587", "Password: ": "UXB9CyQFuVvwdgx", "From: ": "jaen@brimaq.com"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: FAKTURA I RACHUNKI.exeVirustotal: Detection: 21%Perma Link
            Source: FAKTURA I RACHUNKI.exeReversingLabs: Detection: 12%
            Source: FAKTURA I RACHUNKI.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 172.217.168.33:443 -> 192.168.2.6:49717 version: TLS 1.2

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://KeXrtgodXUi1h.com
            Source: global trafficTCP traffic: 192.168.2.6:49751 -> 78.128.8.31:587
            Source: Joe Sandbox ViewASN Name: TELEPOINTBG TELEPOINTBG
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficTCP traffic: 192.168.2.6:49751 -> 78.128.8.31:587
            Source: unknownDNS traffic detected: queries for: doc-0s-1k-docs.googleusercontent.com
            Source: RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpString found in binary or memory: http://KeXrtgodXUi1h.com
            Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpString found in binary or memory: http://bbllRW.com
            Source: RegAsm.exe, 00000002.00000002.614735524.000000001DE41000.00000004.00000001.sdmpString found in binary or memory: http://brimaq.com
            Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: RegAsm.exe, 00000002.00000002.609009636.00000000012BB000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: RegAsm.exe, 00000002.00000002.614735524.000000001DE41000.00000004.00000001.sdmpString found in binary or memory: http://mail.brimaq.com
            Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: RegAsm.exe, 00000002.00000002.609009636.00000000012BB000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: RegAsm.exe, 00000002.00000002.609009636.00000000012BB000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0
            Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpString found in binary or memory: https://doc-0s-1k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ilq0gs3h
            Source: RegAsm.exeString found in binary or memory: https://drive.google.com/uc?export=download&id=16YYVHnEy9_-NyGEipJqgNlcMWFoYiAxO
            Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
            Source: RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownHTTPS traffic detected: 172.217.168.33:443 -> 192.168.2.6:49717 version: TLS 1.2
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_0041112C OpenClipboard,0_2_0041112C

            System Summary:

            barindex
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023450CB NtResumeThread,0_2_023450CB
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02345294 NtResumeThread,0_2_02345294
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_0234533A NtResumeThread,0_2_0234533A
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02345170 NtResumeThread,0_2_02345170
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02345162 NtResumeThread,0_2_02345162
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023453E8 NtResumeThread,0_2_023453E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F8525E NtSetInformationThread,2_2_00F8525E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F84E07 NtProtectVirtualMemory,2_2_00F84E07
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F853E8 NtSetInformationThread,2_2_00F853E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F85294 NtSetInformationThread,2_2_00F85294
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F8533A NtSetInformationThread,2_2_00F8533A
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406B0F0_2_00406B0F
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023450CB0_2_023450CB
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023420360_2_02342036
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023420220_2_02342022
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02340E2E0_2_02340E2E
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_0234087D0_2_0234087D
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023446F20_2_023446F2
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02341CEE0_2_02341CEE
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_0234173A0_2_0234173A
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023443280_2_02344328
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02342B1B0_2_02342B1B
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02343D760_2_02343D76
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023451700_2_02345170
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023423720_2_02342372
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023423790_2_02342379
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023451620_2_02345162
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_0234156B0_2_0234156B
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023409540_2_02340954
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023447A70_2_023447A7
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023415870_2_02341587
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023409E50_2_023409E5
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023439C30_2_023439C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013919002_2_01391900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0139B9B52_2_0139B9B5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013919E42_2_013919E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013978982_2_01397898
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0139EE302_2_0139EE30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0139AAA82_2_0139AAA8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013987E02_2_013987E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013A20202_2_013A2020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013A27682_2_013A2768
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013A2F6D2_2_013A2F6D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013AB7402_2_013AB740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDA67202_2_1CDA6720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDA50002_2_1CDA5000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDAB2882_2_1CDAB288
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB34A02_2_1CDB34A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB5D802_2_1CDB5D80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB4D002_2_1CDB4D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB97D82_2_1CDB97D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB80102_2_1CDB8010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDBAC902_2_1CDBAC90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDBDF782_2_1CDBDF78
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB11082_2_1CDB1108
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB1AD72_2_1CDB1AD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB1AE82_2_1CDB1AE8
            Source: FAKTURA I RACHUNKI.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FAKTURA I RACHUNKI.exe, 00000000.00000002.397678090.000000000041A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamespiritu.exe vs FAKTURA I RACHUNKI.exe
            Source: FAKTURA I RACHUNKI.exeBinary or memory string: OriginalFilenamespiritu.exe vs FAKTURA I RACHUNKI.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: FAKTURA I RACHUNKI.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/1@3/2
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_01
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeFile created: C:\Users\user\AppData\Local\Temp\~DF991822A0E7AF3EFE.TMPJump to behavior
            Source: FAKTURA I RACHUNKI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: FAKTURA I RACHUNKI.exeVirustotal: Detection: 21%
            Source: FAKTURA I RACHUNKI.exeReversingLabs: Detection: 12%
            Source: unknownProcess created: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe' Jump to behavior
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000002.00000002.608367607.0000000000F81000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00402465 pushfd ; iretd 0_2_00402494
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406C05 push C868CBC8h; retf 0_2_00406C0A
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406C0B push C868CBC8h; retf 0_2_00406C10
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406C11 push C868CBC8h; retf 0_2_00406C16
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406C17 push C868CBC8h; retf 0_2_00406C1C
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00403281 push dword ptr [edi-4B012F33h]; retf 0_2_00403294
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00402495 pushfd ; iretd 0_2_00402498
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00402699 pushfd ; iretd 0_2_0040269C
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00402F70 pushfd ; iretd 0_2_00402F78
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00403703 push fs; ret 0_2_0040379C
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00403329 pushfd ; iretd 0_2_0040332C
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BC9 push C868CBC8h; retf 0_2_00406BCE
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BCF push C868CBC8h; retf 0_2_00406BD4
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BD5 push C868CBC8h; retf 0_2_00406BDA
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BDB push C868CBC8h; retf 0_2_00406BE0
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_004051DF pushfd ; iretd 0_2_004051E0
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_004043E0 pushfd ; iretd 0_2_004043E4
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BE1 push C868CBC8h; retf 0_2_00406BE6
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BE7 push C868CBC8h; retf 0_2_00406BEC
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BED push C868CBC8h; retf 0_2_00406BF2
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BF3 push C868CBC8h; retf 0_2_00406BF8
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BF9 push C868CBC8h; retf 0_2_00406BFE
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BFF push C868CBC8h; retf 0_2_00406C04
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_0234006B push ebx; ret 0_2_02340072
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02341131 pushfd ; iretd 0_2_02341132
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02344504 push esi; retf 0_2_02344506
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_01398478 pushfd ; retf 551Fh2_2_013987A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0139D23C push eax; iretd 2_2_0139D23D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013A7A37 push edi; retn 0000h2_2_013A7A39
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013A1E00 push edx; retf 2_2_013A1E0B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeRDTSC instruction interceptor: First address: 0000000002342385 second address: 0000000002342385 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F4DA0B46EF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, ax 0x00000020 pop ecx 0x00000021 cmp dl, FFFFFF90h 0x00000024 add edi, edx 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F4DA0B46EDBh 0x0000002c push ecx 0x0000002d cmp dl, bl 0x0000002f call 00007F4DA0B46F0Dh 0x00000034 call 00007F4DA0B46F08h 0x00000039 lfence 0x0000003c mov edx, dword ptr [7FFE0014h] 0x00000042 lfence 0x00000045 ret 0x00000046 mov esi, edx 0x00000048 pushad 0x00000049 rdtsc
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeRDTSC instruction interceptor: First address: 0000000002345485 second address: 0000000002345485 instructions:
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeRDTSC instruction interceptor: First address: 0000000002340984 second address: 0000000002340984 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F80B51 second address: 0000000000F80B51 instructions:
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: RegAsm.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeRDTSC instruction interceptor: First address: 0000000002342385 second address: 0000000002342385 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F4DA0B46EF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, ax 0x00000020 pop ecx 0x00000021 cmp dl, FFFFFF90h 0x00000024 add edi, edx 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F4DA0B46EDBh 0x0000002c push ecx 0x0000002d cmp dl, bl 0x0000002f call 00007F4DA0B46F0Dh 0x00000034 call 00007F4DA0B46F08h 0x00000039 lfence 0x0000003c mov edx, dword ptr [7FFE0014h] 0x00000042 lfence 0x00000045 ret 0x00000046 mov esi, edx 0x00000048 pushad 0x00000049 rdtsc
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeRDTSC instruction interceptor: First address: 00000000023424DB second address: 00000000023424DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F4DA05B9491h 0x0000001d popad 0x0000001e call 00007F4DA05B7370h 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeRDTSC instruction interceptor: First address: 0000000002345485 second address: 0000000002345485 instructions:
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeRDTSC instruction interceptor: First address: 0000000002340984 second address: 0000000002340984 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F824DB second address: 0000000000F824DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F4DA0B49021h 0x0000001d popad 0x0000001e call 00007F4DA0B46F00h 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F80B51 second address: 0000000000F80B51 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F824D8 rdtsc 2_2_00F824D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1095Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 8754Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4980Thread sleep time: -14757395258967632s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: RegAsm.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F824D8 rdtsc 2_2_00F824D8
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02342E6B LdrInitializeThunk,0_2_02342E6B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F822DB mov eax, dword ptr fs:[00000030h]2_2_00F822DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F849C5 mov eax, dword ptr fs:[00000030h]2_2_00F849C5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F84A48 mov eax, dword ptr fs:[00000030h]2_2_00F84A48
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F83F39 mov eax, dword ptr fs:[00000030h]2_2_00F83F39
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F84310 mov eax, dword ptr fs:[00000030h]2_2_00F84310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F80000Jump to behavior
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe' Jump to behavior
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe' Jump to behavior
            Source: RegAsm.exe, 00000002.00000002.609296297.00000000017B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: RegAsm.exe, 00000002.00000002.609296297.00000000017B0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: RegAsm.exe, 00000002.00000002.609296297.00000000017B0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
            Source: RegAsm.exe, 00000002.00000002.609296297.00000000017B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            bar