Loading ...

Play interactive tourEdit tour

Analysis Report Siparis Verebilir_changed.exe

Overview

General Information

Sample Name:Siparis Verebilir_changed.exe
MD5:0291ee13e90bfdaead9612f5c241292d
SHA1:be3f8cf200950ed3d0278237672c4c085b0dd80f
SHA256:5d18e32ced4ba95c3d42f56a2af4a09d73ccf8f6c8b87b94324493704cc7e133

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Potential malicious icon found
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Siparis Verebilir_changed.exe (PID: 4796 cmdline: 'C:\Users\user\Desktop\Siparis Verebilir_changed.exe' MD5: 0291EE13E90BFDAEAD9612F5C241292D)
    • RegAsm.exe (PID: 3468 cmdline: 'C:\Users\user\Desktop\Siparis Verebilir_changed.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • RegAsm.exe (PID: 1820 cmdline: 'C:\Users\user\Desktop\Siparis Verebilir_changed.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • RegAsm.exe (PID: 2788 cmdline: 'C:\Users\user\Desktop\Siparis Verebilir_changed.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 1660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1025032515.000000000040D000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x1a00:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000004.00000002.1190687218.0000000000C00000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000000.00000000.766671850.000000000040D000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x1a00:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    Process Memory Space: RegAsm.exe PID: 2788JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Machine Learning detection for sampleShow sources
      Source: Siparis Verebilir_changed.exeJoe Sandbox ML: detected

      Source: Joe Sandbox ViewIP Address: 104.16.202.237 104.16.202.237
      Source: Joe Sandbox ViewIP Address: 104.16.202.237 104.16.202.237
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C051BA InternetReadFile,4_2_00C051BA
      Source: unknownDNS traffic detected: queries for: www.mediafire.com
      Source: RegAsm.exe, 00000004.00000002.1191271135.0000000000F4B000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
      Source: RegAsm.exe, 00000004.00000002.1191271135.0000000000F4B000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: RegAsm.exe, 00000004.00000002.1191271135.0000000000F4B000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
      Source: RegAsm.exe, 00000004.00000002.1191271135.0000000000F4B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: RegAsm.exe, 00000004.00000002.1191271135.0000000000F4B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.sectigo.com0)
      Source: RegAsm.exe, 00000004.00000002.1191271135.0000000000F4B000.00000004.00000020.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
      Source: RegAsm.exe, 00000004.00000002.1191271135.0000000000F4B000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
      Source: RegAsm.exe, 00000004.00000002.1191626955.0000000002910000.00000004.00000001.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing?utm_source=error_footer
      Source: RegAsm.exe, 00000004.00000002.1190687218.0000000000C00000.00000040.00000001.sdmpString found in binary or memory: https://www.mediafire.com/file/qh3vln2o0x07kft/origin_AYbnrYZQCX222.bin/file
      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748

      Source: Siparis Verebilir_changed.exe, 00000000.00000002.1025529566.00000000006EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.1025032515.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000000.00000000.766671850.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_028851BA NtResumeThread,0_2_028851BA
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_0288528F NtResumeThread,0_2_0288528F
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_028854BB NtResumeThread,0_2_028854BB
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_028852C6 NtResumeThread,0_2_028852C6
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_028852FF NtResumeThread,0_2_028852FF
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_0288520B NtResumeThread,0_2_0288520B
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_0288540B NtResumeThread,0_2_0288540B
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_02885229 NtResumeThread,0_2_02885229
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_0288543C NtResumeThread,0_2_0288543C
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_02885258 NtResumeThread,0_2_02885258
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_02885388 NtResumeThread,0_2_02885388
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_028853BA NtResumeThread,0_2_028853BA
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_028853DD NtResumeThread,0_2_028853DD
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_028851D5 NtResumeThread,0_2_028851D5
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_0288532D NtResumeThread,0_2_0288532D
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_02885139 NtResumeThread,0_2_02885139
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_0288535B NtResumeThread,0_2_0288535B
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C003B3 EnumWindows,NtSetInformationThread,4_2_00C003B3
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C04D57 NtProtectVirtualMemory,4_2_00C04D57
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C004C3 NtSetInformationThread,4_2_00C004C3
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C04CEF NtProtectVirtualMemory,4_2_00C04CEF
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C002F8 NtSetInformationThread,4_2_00C002F8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C00483 NtSetInformationThread,4_2_00C00483
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C00418 NtSetInformationThread,4_2_00C00418
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C04DD1 NtProtectVirtualMemory,4_2_00C04DD1
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C003B7 NtSetInformationThread,4_2_00C003B7
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C0034D NtSetInformationThread,4_2_00C0034D
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C003B34_2_00C003B3
      Source: Siparis Verebilir_changed.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Siparis Verebilir_changed.exe, 00000000.00000002.1027377768.00000000028A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepierogir.exeFE2X vs Siparis Verebilir_changed.exe
      Source: Siparis Verebilir_changed.exe, 00000000.00000002.1025070109.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamepierogir.exe vs Siparis Verebilir_changed.exe
      Source: Siparis Verebilir_changed.exe, 00000000.00000002.1025497889.00000000006D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Siparis Verebilir_changed.exe
      Source: Siparis Verebilir_changed.exeBinary or memory string: OriginalFilenamepierogir.exe vs Siparis Verebilir_changed.exe
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
      Source: 00000000.00000002.1025032515.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000000.766671850.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal84.rans.troj.evad.winEXE@8/0@1/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1660:120:WilError_01
      Source: Siparis Verebilir_changed.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Siparis Verebilir_changed.exe 'C:\Users\user\Desktop\Siparis Verebilir_changed.exe'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Siparis Verebilir_changed.exe'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Siparis Verebilir_changed.exe'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Siparis Verebilir_changed.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Siparis Verebilir_changed.exe' Jump to behavior
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Siparis Verebilir_changed.exe' Jump to behavior
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Siparis Verebilir_changed.exe' Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000004.00000002.1190687218.0000000000C00000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2788, type: MEMORY
      Source: Siparis Verebilir_changed.exeStatic PE information: real checksum: 0x21b1c should be: 0x21b1d
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_00408943 push FFFFFF8Fh; ret 0_2_00408958
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_0040896F pushfd ; iretd 0_2_00408970
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_028858AC pushad ; ret 0_2_028858AD
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_02884837 push B9BB8161h; retf 0_2_02884847
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_02882076 push BC26FCDDh; retf 0_2_028820A5
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeCode function: 0_2_028823E0 pushad ; ret 0_2_028823EB
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C058AC pushad ; ret 4_2_00C058AD
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C00005 push DFCB8F12h; retf 4_2_00C0032B

      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C023E3 4_2_00C023E3
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeRDTSC instruction interceptor: First address: 00000000028823E6 second address: 0000000002882404 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F821490F8B2h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeRDTSC instruction interceptor: First address: 0000000002882404 second address: 00000000028823E6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F821490FE70h 0x00000011 lfence 0x00000014 rdtsc
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000C023E6 second address: 0000000000C02404 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F821470CDD2h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000C02404 second address: 0000000000C023E6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F821490FE70h 0x00000011 lfence 0x00000014 rdtsc
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened / queried: C:\ProgramData\qemu-ga\qga.stateJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C023E3 rdtsc 4_2_00C023E3
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 782Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 944Thread sleep time: -7820000s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: RegAsm.exe, 00000004.00000002.1190687218.0000000000C00000.00000040.00000001.sdmpBinary or memory string: C:\ProgramData\qemu-ga\qga.state

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C003B3 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000004_2_00C003B3
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C023E3 rdtsc 4_2_00C023E3
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C03093 LdrInitializeThunk,4_2_00C03093
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C022BC mov eax, dword ptr fs:[00000030h]4_2_00C022BC
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C04253 mov eax, dword ptr fs:[00000030h]4_2_00C04253
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C0161F mov eax, dword ptr fs:[00000030h]4_2_00C0161F
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C03E37 mov eax, dword ptr fs:[00000030h]4_2_00C03E37
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C015C3 mov eax, dword ptr fs:[00000030h]4_2_00C015C3
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C0159E mov eax, dword ptr fs:[00000030h]4_2_00C0159E
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C04965 mov eax, dword ptr fs:[00000030h]4_2_00C04965
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C04967 mov eax, dword ptr fs:[00000030h]4_2_00C04967
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C00F02 mov eax, dword ptr fs:[00000030h]4_2_00C00F02
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_00C01514 mov eax, dword ptr fs:[00000030h]4_2_00C01514

      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Siparis Verebilir_changed.exe' Jump to behavior
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Siparis Verebilir_changed.exe' Jump to behavior
      Source: C:\Users\user\Desktop\Siparis Verebilir_changed.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Siparis Verebilir_changed.exe' Jump to behavior
      Source: RegAsm.exe, 00000004.00000002.1191460778.00000000014F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: RegAsm.exe, 00000004.00000002.1191460778.00000000014F0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: RegAsm.exe, 00000004.00000002.1191460778.00000000014F0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
      Source: RegAsm.exe, 00000004.00000002.1191460778.00000000014F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection12Virtualization/Sandbox Evasion12Input Capture1Virtualization/Sandbox Evasion12Remote File Copy1Input Capture1Data Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection12Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information1Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDLL Side-Loading1Credentials in FilesSecurity Software Discovery421Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
      Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSystem Information Discovery21Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.