Loading ...

Play interactive tourEdit tour

Analysis Report ordine n#U00b0 276.exe

Overview

General Information

Sample Name:ordine n#U00b0 276.exe
Analysis ID:403969
MD5:10f03c95ba280cd5a82146269f89ca9d
SHA1:c24232721d7aefe2c013b9642e0ab7db8007e48a
SHA256:11f63d2fda1055ac66a71cb539c9d5ff66fd79f473e19171fd8f663e2c4979b9
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • ordine n#U00b0 276.exe (PID: 6888 cmdline: 'C:\Users\user\Desktop\ordine n#U00b0 276.exe' MD5: 10F03C95BA280CD5A82146269F89CA9D)
    • RegAsm.exe (PID: 1280 cmdline: 'C:\Users\user\Desktop\ordine n#U00b0 276.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "Bx27nFj5fV0", "URL: ": "http://9OElorZCtFCqdkfzny.net", "To: ": "greendogman@yandex.com", "ByHost: ": "smtp.fil-net.com:587", "Password: ": "jEiJ6rpwhGxFJ", "From: ": "comercial@fil-net.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
      • 0x1298:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
      00000000.00000000.643378031.000000000040C000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
      • 0x1298:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
      Process Memory Space: RegAsm.exe PID: 1280JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Click to see the 2 entries

        Sigma Overview

        Networking:

        barindex
        Sigma detected: RegAsm connects to smtp portShow sources
        Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 46.16.61.250, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 1280, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49764

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: RegAsm.exe.1280.8.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "Bx27nFj5fV0", "URL: ": "http://9OElorZCtFCqdkfzny.net", "To: ": "greendogman@yandex.com", "ByHost: ": "smtp.fil-net.com:587", "Password: ": "jEiJ6rpwhGxFJ", "From: ": "comercial@fil-net.com"}
        Source: ordine n#U00b0 276.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: unknownHTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.4:49745 version: TLS 1.2
        Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000008.00000002.1734186092.0000000020A70000.00000002.00000001.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: http://9OElorZCtFCqdkfzny.net
        Source: global trafficTCP traffic: 192.168.2.4:49764 -> 46.16.61.250:587
        Source: Joe Sandbox ViewIP Address: 46.16.61.250 46.16.61.250
        Source: Joe Sandbox ViewASN Name: CDMONsistemescdmoncomES CDMONsistemescdmoncomES
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: global trafficTCP traffic: 192.168.2.4:49764 -> 46.16.61.250:587
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_1DB3A09A recv,8_2_1DB3A09A
        Source: unknownDNS traffic detected: queries for: doc-10-9k-docs.googleusercontent.com
        Source: RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
        Source: RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmpString found in binary or memory: http://9OElorZCtFCqdkfzny.net
        Source: RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
        Source: RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
        Source: RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
        Source: RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
        Source: RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
        Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
        Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
        Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl0
        Source: RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmpString found in binary or memory: http://mGfDbY.com
        Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr10)
        Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1c301
        Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
        Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
        Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
        Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
        Source: RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0%
        Source: RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
        Source: RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
        Source: RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
        Source: RegAsm.exe, 00000008.00000003.999355961.00000000013FA000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
        Source: RegAsm.exe, 00000008.00000002.1726751510.0000000001380000.00000004.00000020.sdmpString found in binary or memory: https://doc-10-9k-docs.googleusercontent.com/
        Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmpString found in binary or memory: https://doc-10-9k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ka3e4p4q
        Source: RegAsm.exe, 00000008.00000002.1726830201.00000000013A4000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
        Source: RegAsm.exe, 00000008.00000002.1726776559.0000000001388000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1eL1W59FTaS1ZK7NLLis7VKY3s5Fdhau-
        Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
        Source: RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
        Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
        Source: unknownHTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.4:49745 version: TLS 1.2

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
        Source: 00000000.00000000.643378031.000000000040C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_02B954FB NtResumeThread,0_2_02B954FB
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_1DB3B0BA NtQuerySystemInformation,8_2_1DB3B0BA
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_1DB3B089 NtQuerySystemInformation,8_2_1DB3B089
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_0040377D0_2_0040377D
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_004046470_2_00404647
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_004042630_2_00404263
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_004044630_2_00404463
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00404A2C0_2_00404A2C
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_0040483D0_2_0040483D
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_004038C10_2_004038C1
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_0040408E0_2_0040408E
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00403CB30_2_00403CB3
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_004047460_2_00404746
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_004045510_2_00404551
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_004043650_2_00404365
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00403F320_2_00403F32
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_0040493B0_2_0040493B
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_004039C70_2_004039C7
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_004037CB0_2_004037CB
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00403F940_2_00403F94
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00403D9F0_2_00403D9F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_016000708_2_01600070
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_01600F388_2_01600F38
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_01602C008_2_01602C00
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_016077188_2_01607718
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_01607DC18_2_01607DC1
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_016035808_2_01603580
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_01605A8F8_2_01605A8F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_016076288_2_01607628
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_016000068_2_01600006
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_1DB3247D8_2_1DB3247D
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_20017C488_2_20017C48
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_2001E85C8_2_2001E85C
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_20018EF08_2_20018EF0
        Source: ordine n#U00b0 276.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: ordine n#U00b0 276.exe, 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOPARBE.exe vs ordine n#U00b0 276.exe
        Source: ordine n#U00b0 276.exeBinary or memory string: OriginalFilenameOPARBE.exe vs ordine n#U00b0 276.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: security.dllJump to behavior
        Source: ordine n#U00b0 276.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000000.643378031.000000000040C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@4/2@3/3
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_1DB3AF3E AdjustTokenPrivileges,8_2_1DB3AF3E
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_1DB3AF07 AdjustTokenPrivileges,8_2_1DB3AF07
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\3blxsn2e.5rkJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeFile created: C:\Users\user\AppData\Local\Temp\~DFD8804A7BDBB85CBA.TMPJump to behavior
        Source: ordine n#U00b0 276.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\ordine n#U00b0 276.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe' Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000008.00000002.1734186092.0000000020A70000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1280, type: MEMORY
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00407CDB push es; iretd 0_2_00407CDC
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_0040CEF8 push ebp; iretd 0_2_0040CEFE
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_0040855C push esp; iretd 0_2_00408564
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00408565 push esp; iretd 0_2_00408564
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00408565 push esp; iretd 0_2_00408598
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00407D6F push edx; iretd 0_2_00407D7C
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00407B2B push ds; retf 0_2_00407B68
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00407FCC push esp; iretd 0_2_00407FD0
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00405BD3 push DD90C9D6h; retf 0_2_00405CCC
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00408DD4 push esi; retf 0_2_00408DD5
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00405BE4 push DD90C9D6h; retf 0_2_00405CCC
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00407F8D push esp; iretd 0_2_00407FB8
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_00405D90 push esp; iretd 0_2_00405DA8
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_02B908BE push 0000002Bh; retf 0_2_02B908BD
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_02B9088C push 0000002Bh; retf 0_2_02B908BD
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_02B922FA push edx; ret 0_2_02B92310
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_02B908D7 push 0000002Bh; retf 0_2_02B908BD
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_02B900C5 pushad ; ret 0_2_02B900C6
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_02B9303C push 7446A32Bh; ret 0_2_02B93048
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_02B91C7F push ebp; ret 0_2_02B91C80
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_02B92A73 push FFFFFFD4h; ret 0_2_02B92A9C
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_02B94A77 push edx; retf 0_2_02B94A65
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_02B94A62 push edx; retf 0_2_02B94A65
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_02B92A4C push FFFFFFD4h; ret 0_2_02B92A9C
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_02B917D6 push edx; ret 0_2_02B917DC
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_02B9132B push ebp; ret 0_2_02B91350
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeCode function: 0_2_02B9470A push ecx; iretd 0_2_02B9472F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_1DB3247D push FFFFFFC3h; ret 8_2_1DB33465
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeRDTSC instruction interceptor: First address: 0000000002B923B7 second address: 0000000002B923B7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FADB0D044E8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp dh, ch 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 test ecx, 93E93443h 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007FADB0D044C6h 0x0000002e test cx, 1904h 0x00000033 push ecx 0x00000034 call 00007FADB0D04502h 0x00000039 call 00007FADB0D044F8h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
        Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFunction Chain: memAlloc,memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,memAlloc,threadDelayed,threadDelayed,keyOpened,keyEnumerated,keyEnumerated
        Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: ordine n#U00b0 276.exe, 00000000.00000002.776473131.0000000002BA0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000002.1726371428.0000000001110000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Source: ordine n#U00b0 276.exe, 00000000.00000002.776473131.0000000002BA0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
        Source: RegAsm.exe, 00000008.00000002.1726371428.0000000001110000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeRDTSC instruction interceptor: First address: 0000000002B923B7 second address: 0000000002B923B7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FADB0D044E8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp dh, ch 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 test ecx, 93E93443h 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007FADB0D044C6h 0x0000002e test cx, 1904h 0x00000033 push ecx 0x00000034 call 00007FADB0D04502h 0x00000039 call 00007FADB0D044F8h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
        Source: C:\Users\user\Desktop\ordine n#U00b0 276.exeRDTSC instruction interceptor: First address: 0000000002B92528 second address: 0000000002B92528 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FADB08004F0h 0x0000001d popad 0x0000001e call 00007FADB07FE2EAh 0x00000023 lfence 0x00000026 rdtsc
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000FB2528 second address: 0000000000FB2528 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FADB0D06700h 0x0000001d popad 0x0000001e call 00007FADB0D044FAh 0x00000023 lfence 0x00000026 rdtsc
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 2874Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3484Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3484Thread sleep time: -86220000s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3484Thread sleep time: -90000s >= -30000sJump to behavior