Source: factura.exe |
Virustotal: Detection: 49% |
Perma Link |
Source: factura.exe |
Metadefender: Detection: 27% |
Perma Link |
Source: factura.exe |
ReversingLabs: Detection: 45% |
Source: factura.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C035C9 InternetReadFile, |
15_2_00C035C9 |
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0 |
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0? |
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.pki.goog/gsr202 |
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.pki.goog/gts1o1core0 |
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp |
String found in binary or memory: http://pki.g |
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp |
String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0 |
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp, RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp, RegAsm.exe, 0000000F.00000002.1031906231.00000000010A0000.00000004.00000020.sdmp |
String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/ |
Source: RegAsm.exe, 0000000F.00000002.1031906231.00000000010A0000.00000004.00000020.sdmp |
String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/dU |
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/ |
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/A |
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/Mw# |
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/S |
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/s |
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbe |
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbe4J |
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbe8J |
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbeOj |
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbeWJ |
Source: RegAsm.exe, 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbef |
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbehJ |
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbepJ |
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbewmBbjvsikSdqvbetubek |
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbeyJ |
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp |
String found in binary or memory: https://pki.goog/repository/0 |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: C:\Users\user\Desktop\factura.exe |
Process Stats: CPU usage > 98% |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C001DE EnumWindows,NtSetInformationThread, |
15_2_00C001DE |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C031B1 NtProtectVirtualMemory, |
15_2_00C031B1 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C00219 NtSetInformationThread, |
15_2_00C00219 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C0352C NtProtectVirtualMemory, |
15_2_00C0352C |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 0_2_0040169C |
0_2_0040169C |
Source: factura.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsCollutions vs factura.exe |
Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutions vs factura.exe |
Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutions( vs factura.exe |
Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsW vs factura.exe |
Source: factura.exe, 00000000.00000000.637238818.000000000040E000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenamekvalifikationen.exe vs factura.exe |
Source: factura.exe, 00000000.00000002.1021928094.00000000021E0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs factura.exe |
Source: factura.exe |
Binary or memory string: OriginalFilenamekvalifikationen.exe vs factura.exe |
Source: factura.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal100.rans.troj.evad.winEXE@4/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5392:120:WilError_01 |
Source: factura.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\factura.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\factura.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: factura.exe |
Virustotal: Detection: 49% |
Source: factura.exe |
Metadefender: Detection: 27% |
Source: factura.exe |
ReversingLabs: Detection: 45% |
Source: unknown |
Process created: C:\Users\user\Desktop\factura.exe 'C:\Users\user\Desktop\factura.exe' |
Source: C:\Users\user\Desktop\factura.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\factura.exe' |
Source: C:\Users\user\Desktop\factura.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\factura.exe' |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: Yara match |
File source: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 5388, type: MEMORY |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 0_2_00403542 push ebx; ret |
0_2_00403557 |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 0_2_0040657D push FFFFFFC2h; iretd |
0_2_004065A9 |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 0_2_004065AB push FFFFFFC2h; iretd |
0_2_004065A9 |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 0_2_00403E6A pushad ; ret |
0_2_00403E6B |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 0_2_00401E38 push esp; retf 0040h |
0_2_00401E39 |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 0_2_00403ED0 push esp; retf |
0_2_00403EDA |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 0_2_00403E90 push esp; retf |
0_2_00403EDA |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 0_2_00403F18 push esp; retf |
0_2_00403EDA |
Source: C:\Users\user\Desktop\factura.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\factura.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\factura.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\factura.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\factura.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C00AE8 LoadLibraryA, |
15_2_00C00AE8 |
Source: C:\Users\user\Desktop\factura.exe |
RDTSC instruction interceptor: First address: 0000000000411A41 second address: 0000000000411A41 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F99E4842F68h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007F99E4842F51h 0x00000026 cmp ah, dh 0x00000028 push ecx 0x00000029 call 00007F99E4842F79h 0x0000002e call 00007F99E4842F78h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Evasive API call chain: GetPEB, DecisionNodes, Sleep |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: RegAsm.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\factura.exe |
RDTSC instruction interceptor: First address: 0000000000412C6A second address: 0000000000412C0B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b retn 0004h 0x0000000e cmp edx, dword ptr [esp+04h] 0x00000012 jne 00007F99E4842F34h 0x00000014 cmp edx, edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 lfence 0x0000001c rdtsc |
Source: C:\Users\user\Desktop\factura.exe |
RDTSC instruction interceptor: First address: 0000000000412B18 second address: 0000000000412A79 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, dword ptr [ebp+14h] 0x0000000e add esi, dword ptr [ebp+04h] 0x00000011 mov esi, dword ptr [esi+eax*4] 0x00000014 add esi, dword ptr [ebp+04h] 0x00000017 mov dword ptr [ebp+08h], esi 0x0000001a retn 0004h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc |
Source: C:\Users\user\Desktop\factura.exe |
RDTSC instruction interceptor: First address: 0000000000411A41 second address: 0000000000411A41 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F99E4842F68h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007F99E4842F51h 0x00000026 cmp ah, dh 0x00000028 push ecx 0x00000029 call 00007F99E4842F79h 0x0000002e call 00007F99E4842F78h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc |
Source: C:\Users\user\Desktop\factura.exe |
RDTSC instruction interceptor: First address: 0000000000411B03 second address: 0000000000411B03 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F99E4D9C4AAh 0x0000001d popad 0x0000001e call 00007F99E4D9B20Bh 0x00000023 lfence 0x00000026 rdtsc |
Source: C:\Users\user\Desktop\factura.exe |
RDTSC instruction interceptor: First address: 0000000000412BA9 second address: 0000000000412BA9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push dword ptr [eax+ecx] 0x0000000e pop dword ptr [ebx+ecx] 0x00000011 cmp bx, ax 0x00000014 test cx, 1B46h 0x00000019 inc ecx 0x0000001a inc ecx 0x0000001b inc ecx 0x0000001c inc ecx 0x0000001d cmp dl, bl 0x0000001f cmp ecx, 18h 0x00000022 jne 00007F99E4842F38h 0x00000024 cmp edx, edx 0x00000026 pushad 0x00000027 lfence 0x0000002a rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000000C02C6A second address: 0000000000C02C0B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b retn 0004h 0x0000000e cmp edx, dword ptr [esp+04h] 0x00000012 jne 00007F99E4D9B1C4h 0x00000014 cmp edx, edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 lfence 0x0000001c rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000000C02B18 second address: 0000000000C02A79 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, dword ptr [ebp+14h] 0x0000000e add esi, dword ptr [ebp+04h] 0x00000011 mov esi, dword ptr [esi+eax*4] 0x00000014 add esi, dword ptr [ebp+04h] 0x00000017 mov dword ptr [ebp+08h], esi 0x0000001a retn 0004h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000000C01B03 second address: 0000000000C01B03 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F99E4D9C4AAh 0x0000001d popad 0x0000001e call 00007F99E4D9B20Bh 0x00000023 lfence 0x00000026 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C02A2C rdtsc |
15_2_00C02A2C |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5448 |
Thread sleep time: -40000s >= -30000s |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAWX |
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: RegAsm.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAWMA=v |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C001DE NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000 |
15_2_00C001DE |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C02A2C rdtsc |
15_2_00C02A2C |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C01D57 LdrInitializeThunk, |
15_2_00C01D57 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C00AE8 mov eax, dword ptr fs:[00000030h] |
15_2_00C00AE8 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C00E25 mov eax, dword ptr fs:[00000030h] |
15_2_00C00E25 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C00FE2 mov eax, dword ptr fs:[00000030h] |
15_2_00C00FE2 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C02BEE mov eax, dword ptr fs:[00000030h] |
15_2_00C02BEE |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C01996 mov eax, dword ptr fs:[00000030h] |
15_2_00C01996 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C029BD mov eax, dword ptr fs:[00000030h] |
15_2_00C029BD |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 15_2_00C02F5D mov eax, dword ptr fs:[00000030h] |
15_2_00C02F5D |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |