Loading ...

Play interactive tourEdit tour

Analysis Report Dimmock5.exe

Overview

General Information

Sample Name:Dimmock5.exe
Analysis ID:381541
MD5:1f6c8e6472b60d49704703c99b28a4b8
SHA1:1770766f6cfb51725e035b0f38f560bf03d73fae
SHA256:e0e93e3b7866085b8384948d12a2eb613fc9eb0bc283fbbe12841a5dca11ba9f
Tags:GuLoader
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Dimmock5.exe (PID: 4708 cmdline: 'C:\Users\user\Desktop\Dimmock5.exe' MD5: 1F6C8E6472B60D49704703C99B28A4B8)
    • RegAsm.exe (PID: 5596 cmdline: 'C:\Users\user\Desktop\Dimmock5.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "kpYtlUSCkDM", "URL: ": "http://JgAptYOPYbQxfk.net", "To: ": "", "ByHost: ": "mail.palacioguevara.com:587", "Password: ": "sUUgblUr6c", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 5596JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 5596JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 54.37.255.108, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 5596, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49754

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: RegAsm.exe.5596.22.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "kpYtlUSCkDM", "URL: ": "http://JgAptYOPYbQxfk.net", "To: ": "", "ByHost: ": "mail.palacioguevara.com:587", "Password: ": "sUUgblUr6c", "From: ": ""}
            Multi AV Scanner detection for submitted fileShow sources
            Source: Dimmock5.exeVirustotal: Detection: 56%Perma Link
            Source: Dimmock5.exeMetadefender: Detection: 24%Perma Link
            Source: Dimmock5.exeReversingLabs: Detection: 72%
            Source: Dimmock5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: unknownHTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.3:49741 version: TLS 1.2
            Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000016.00000002.736394339.0000000020E00000.00000002.00000001.sdmp

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://JgAptYOPYbQxfk.net
            Source: global trafficTCP traffic: 192.168.2.3:49754 -> 54.37.255.108:587
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficTCP traffic: 192.168.2.3:49754 -> 54.37.255.108:587
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1DECA09A recv,
            Source: unknownDNS traffic detected: queries for: doc-14-04-docs.googleusercontent.com
            Source: RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmpString found in binary or memory: http://ENtKzK.com
            Source: RegAsm.exe, 00000016.00000002.734926660.000000001E1A8000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmpString found in binary or memory: http://JgAptYOPYbQxfk.net
            Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: RegAsm.exeString found in binary or memory: https://drive.google.com/uc?export=download&id=1bR5iuFkkMmFeiPqo3eCvIQyKbcDGCnIO
            Source: RegAsm.exe, 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1bR5iuFkkMmFeiPqo3eCvIQyKbcDGCnIO8
            Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
            Source: RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownHTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.3:49741 version: TLS 1.2
            Source: Dimmock5.exe, 00000000.00000002.457921405.000000000060A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\Dimmock5.exeProcess Stats: CPU usage > 98%
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_01353325 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1DECB0BA NtQuerySystemInformation,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1DECB089 NtQuerySystemInformation,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1D2E9938
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1D2EEE08
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1D2E6310
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1D2E7A10
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1D2E0860
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1D2E4B70
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1D2E0CA0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1D2E2290
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1D2E6B90
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1D2E8AE0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_2029EAEC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_20298320
            Source: Dimmock5.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Dimmock5.exe, 00000000.00000002.457965940.00000000020A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Dimmock5.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
            Source: Dimmock5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@3/1@2/2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1DECAF3E AdjustTokenPrivileges,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1DECAF07 AdjustTokenPrivileges,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_01
            Source: Dimmock5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Dimmock5.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Dimmock5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Dimmock5.exeVirustotal: Detection: 56%
            Source: Dimmock5.exeMetadefender: Detection: 24%
            Source: Dimmock5.exeReversingLabs: Detection: 72%
            Source: unknownProcess created: C:\Users\user\Desktop\Dimmock5.exe 'C:\Users\user\Desktop\Dimmock5.exe'
            Source: C:\Users\user\Desktop\Dimmock5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Dimmock5.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000016.00000002.736394339.0000000020E00000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORY
            Source: C:\Users\user\Desktop\Dimmock5.exeCode function: 0_2_00404CCD push FFFFFF83h; iretd
            Source: C:\Users\user\Desktop\Dimmock5.exeCode function: 0_2_00404D0C push ss; iretd
            Source: C:\Users\user\Desktop\Dimmock5.exeCode function: 0_2_00406126 push ss; ret
            Source: C:\Users\user\Desktop\Dimmock5.exeCode function: 0_2_00401E1C push esp; retf 0040h
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_1D2E35F0 push ebp; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_2029C6EA push esp; retf
            Source: C:\Users\user\Desktop\Dimmock5.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dimmock5.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dimmock5.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dimmock5.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dimmock5.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\Dimmock5.exeRDTSC instruction interceptor: First address: 000000000052193C second address: 000000000052193C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F8844813058h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e cmp ebx, 077948D8h 0x00000024 test dl, bl 0x00000026 add edi, edx 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F8844813039h 0x0000002e test edx, edx 0x00000030 push ecx 0x00000031 call 00007F8844813079h 0x00000036 call 00007F8844813068h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc
            Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFunction Chain: systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,memAlloc,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,memAlloc
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Tries to detect Any.runShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exe
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: RegAsm.exe, 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEF9
            Source: Dimmock5.exe, 00000000.00000002.457913128.0000000000600000.00000004.00000020.sdmpBinary or memory string: CC:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEEL
            Source: RegAsm.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\Dimmock5.exeRDTSC instruction interceptor: First address: 000000000052193C second address: 000000000052193C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F8844813058h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e cmp ebx, 077948D8h 0x00000024 test dl, bl 0x00000026 add edi, edx 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F8844813039h 0x0000002e test edx, edx 0x00000030 push ecx 0x00000031 call 00007F8844813079h 0x00000036 call 00007F8844813068h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc
            Source: C:\Users\user\Desktop\Dimmock5.exeRDTSC instruction interceptor: First address: 0000000000521A07 second address: 0000000000521A07 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F884475F716h 0x0000001d popad 0x0000001e cmp bx, cx 0x00000021 call 00007F884475E363h 0x00000026 lfence 0x00000029 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001351A07 second address: 0000000001351A07 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F8844814416h 0x0000001d popad 0x0000001e cmp bx, cx 0x00000021 call 00007F8844813063h 0x00000026 lfence 0x00000029 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_01351A04 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 701
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1736Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1736Thread sleep time: -21030000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1736Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1736Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 30000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 30000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 30000
            Source: RegAsm.exe, 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exef9
            Source: RegAsm.exe, 00000016.00000002.735866714.0000000020640000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: Dimmock5.exe, 00000000.00000002.457913128.0000000000600000.00000004.00000020.sdmpBinary or memory string: cC:\Program Files\Qemu-ga\qemu-ga.exeel
            Source: RegAsm.exe, 00000016.00000002.735866714.0000000020640000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: RegAsm.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: RegAsm.exe, 00000016.00000002.735866714.0000000020640000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: RegAsm.exe, 00000016.00000002.735866714.0000000020640000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformation

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebugger
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebugger
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_01351A04 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_0135219B LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_01353025 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_0135187E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_01352B6F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_01352943 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: Debug
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guard
            Source: RegAsm.exe, 00000016.00000002.729585344.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: RegAsm.exe, 00000016.00000002.729585344.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: RegAsm.exe, 00000016.00000002.729585344.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: RegAsm.exe, 00000016.00000002.729585344.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORY
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Tries to harvest and steal ftp login credentialsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: Yara matchFile source: 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211DLL Side-Loading1Access Token Manipulation1Disable or Modify Tools11OS Credential Dumping2Security Software Discovery631Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection2Virtualization/Sandbox Evasion341Input Capture1Process Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Access Token Manipulation1Credentials in Registry1Virtualization/Sandbox Evasion341SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection2NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System2Scheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol112Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Information Discovery314VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values