Click to jump to signature section
Source: mdWXrbOxsY.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: mdWXrbOxsY.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A6A223 FindFirstFileExW,FindNextFileW,FindClose,FindClose, | 0_2_00A6A223 |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1Host: unotree.ruConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /getjson.php?id=88 HTTP/1.1Host: unotree.ru |
Source: global traffic | HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1Host: unotree.ruConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /getjson.php?id=88 HTTP/1.1Host: unotree.ru |
Source: global traffic | HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0 |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0 |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: RegAsm.exe, 00000003.00000002.1836943376.0000000006330000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.mF |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0 |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07 |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0 |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K |
Source: RegAsm.exe, 00000003.00000002.1836259380.0000000003247000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://ip-api.com |
Source: mdWXrbOxsY.exe, mdWXrbOxsY.exe, 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.1835305839.0000000000402000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: http://ip-api.com/json/?fields=11827 |
Source: mdWXrbOxsY.exe, mdWXrbOxsY.exe, 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.1835305839.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1836259380.0000000003247000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://ip-api.com/line/?fields=hosting |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://ocsp.digicert.com0A |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://ocsp.digicert.com0C |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://ocsp.digicert.com0H |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://ocsp.digicert.com0I |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://ocsp.digicert.com0X |
Source: RegAsm.exe, 00000003.00000002.1836259380.0000000003179000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: RegAsm.exe, 00000003.00000002.1836259380.000000000318A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://unotree.ru |
Source: mdWXrbOxsY.exe | String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0 |
Source: mdWXrbOxsY.exe, mdWXrbOxsY.exe, 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.1836259380.0000000003111000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1835305839.0000000000402000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: https://aiwhcpoaw.ru/ |
Source: mdWXrbOxsY.exe, mdWXrbOxsY.exe, 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.1835305839.0000000000402000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: https://t.me/xehook |
Source: RegAsm.exe, 00000003.00000002.1836259380.0000000003179000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1836259380.00000000031CD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://unotree.ru |
Source: mdWXrbOxsY.exe, mdWXrbOxsY.exe, 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.1836259380.0000000003111000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1835305839.0000000000402000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: https://unotree.ru/ |
Source: RegAsm.exe, 00000003.00000002.1836259380.00000000031CD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://unotree.ru/getjson.php?id=88 |
Source: mdWXrbOxsY.exe | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49732 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49731 |
Source: unknown | Network traffic detected: HTTP traffic on port 49731 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49732 -> 443 |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A61040 | 0_2_00A61040 |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A658CE | 0_2_00A658CE |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A72C10 | 0_2_00A72C10 |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A689AF | 0_2_00A689AF |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A6DAB0 | 0_2_00A6DAB0 |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A6DF38 | 0_2_00A6DF38 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 3_2_02EF64E0 | 3_2_02EF64E0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 3_2_02EF6DB0 | 3_2_02EF6DB0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 3_2_02EF6198 | 3_2_02EF6198 |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: String function: 00A61F30 appears 35 times | |
Source: mdWXrbOxsY.exe | Binary or memory string: OriginalFilename vs mdWXrbOxsY.exe |
Source: mdWXrbOxsY.exe, 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenamexehook.exe" vs mdWXrbOxsY.exe |
Source: mdWXrbOxsY.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine | Classification label: mal84.troj.evad.winEXE@6/1@2/2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_03 |
Source: mdWXrbOxsY.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: unknown | Process created: C:\Users\user\Desktop\mdWXrbOxsY.exe "C:\Users\user\Desktop\mdWXrbOxsY.exe" | |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | Jump to behavior |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | Jump to behavior |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: aclayers.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: sfc.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: sfc_os.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: rasapi32.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: rasman.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: rtutils.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: dhcpcsvc6.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: schannel.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: mskeyprotect.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: ntasn1.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: ncryptsslp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: userenv.dll | Jump to behavior |
Source: mdWXrbOxsY.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: mdWXrbOxsY.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: mdWXrbOxsY.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: mdWXrbOxsY.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: mdWXrbOxsY.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: mdWXrbOxsY.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: mdWXrbOxsY.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: mdWXrbOxsY.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: mdWXrbOxsY.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: mdWXrbOxsY.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: mdWXrbOxsY.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: mdWXrbOxsY.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: global traffic | HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Memory allocated: 2EB0000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Memory allocated: 3110000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Memory allocated: 2F50000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 600000 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599891 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599781 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599672 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599563 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599438 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599313 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599188 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599078 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 598969 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488 | Thread sleep time: -2767011611056431s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488 | Thread sleep time: -600000s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488 | Thread sleep time: -599891s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3720 | Thread sleep count: 1793 > 30 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488 | Thread sleep time: -599781s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488 | Thread sleep time: -599672s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488 | Thread sleep time: -599563s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488 | Thread sleep time: -599438s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488 | Thread sleep time: -599313s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488 | Thread sleep time: -599188s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488 | Thread sleep time: -599078s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488 | Thread sleep time: -598969s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5816 | Thread sleep time: -30000s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3720 | Thread sleep time: -922337203685477s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A6A223 FindFirstFileExW,FindNextFileW,FindClose,FindClose, | 0_2_00A6A223 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 600000 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599891 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599781 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599672 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599563 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599438 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599313 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599188 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 599078 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 598969 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: RegAsm.exe, 00000003.00000002.1836259380.0000000003247000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMware |
Source: RegAsm.exe, 00000003.00000002.1836259380.0000000003247000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: vmware |
Source: RegAsm.exe, 00000003.00000002.1835499855.00000000012E1000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO |
Source: RegAsm.exe, 00000003.00000002.1835305839.0000000000402000.00000040.00000400.00020000.00000000.sdmp | Binary or memory string: VMwareVBox.dllNONE |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A61D08 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_00A61D08 |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A6B79B mov eax, dword ptr fs:[00000030h] | 0_2_00A6B79B |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A66FF9 mov ecx, dword ptr fs:[00000030h] | 0_2_00A66FF9 |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A6187D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_00A6187D |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A61D08 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_00A61D08 |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A61E64 SetUnhandledExceptionFilter, | 0_2_00A61E64 |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A6636B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_00A6636B |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A91C7D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, | 0_2_00A91C7D |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 | Jump to behavior |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 | Jump to behavior |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 418000 | Jump to behavior |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41A000 | Jump to behavior |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: EA2008 | Jump to behavior |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | Jump to behavior |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe | Code function: 0_2_00A61BF5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, | 0_2_00A61BF5 |
Source: Yara match | File source: Process Memory Space: mdWXrbOxsY.exe PID: 6932, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: RegAsm.exe PID: 6640, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: mdWXrbOxsY.exe PID: 6932, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: RegAsm.exe PID: 6640, type: MEMORYSTR |