Source: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1aKE_k9PJVE2kZn5sEN4ZiJNhonuPIbPw", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]} |
Source: faktura_ODfk0021.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp |
String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp |
String found in binary or memory: http://DynDns.comDynDNS |
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0 |
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0? |
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.pki.goog/gsr202 |
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.pki.goog/gts1o1core0 |
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp |
String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0 |
Source: RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp |
String found in binary or memory: http://zQsfOZ.com |
Source: RegAsm.exe, 00000003.00000002.491917908.0000000000FE7000.00000004.00000020.sdmp |
String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/ |
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp |
String found in binary or memory: https://doc-0s-04-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/uq2l008j |
Source: RegAsm.exe |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1aKE_k9PJVE2kZn5sEN4ZiJNhonuPIbPw |
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp |
String found in binary or memory: https://pki.goog/repository/0 |
Source: RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Code function: 0_2_022B3BC4 NtResumeThread, |
0_2_022B3BC4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00C23BC4 NtQueryInformationProcess, |
3_2_00C23BC4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00C236EE NtProtectVirtualMemory, |
3_2_00C236EE |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Code function: 0_2_004015B4 |
0_2_004015B4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1D9E47A0 |
3_2_1D9E47A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1D9E4790 |
3_2_1D9E4790 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1D9E4773 |
3_2_1D9E4773 |
Source: faktura_ODfk0021.exe, 00000000.00000002.324592390.0000000002A30000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameCass7.exeFE2XADP vs faktura_ODfk0021.exe |
Source: faktura_ODfk0021.exe, 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameCass7.exe vs faktura_ODfk0021.exe |
Source: faktura_ODfk0021.exe |
Binary or memory string: OriginalFilenameCass7.exe vs faktura_ODfk0021.exe |
Source: faktura_ODfk0021.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: faktura_ODfk0021.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\faktura_ODfk0021.exe 'C:\Users\user\Desktop\faktura_ODfk0021.exe' |
|
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\faktura_ODfk0021.exe' |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\faktura_ODfk0021.exe' |
Jump to behavior |
Source: Yara match |
File source: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6328, type: MEMORY |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Code function: 0_2_00401E78 pushfd ; retn 0000h |
0_2_0040228E |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Code function: 0_2_004066CF push ebp; retf |
0_2_004066E0 |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Code function: 0_2_00406D53 push 38BB86EFh; retf |
0_2_00406D6B |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Code function: 0_2_022B0104 push ADC64FC2h; iretd |
0_2_022B0109 |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Code function: 0_2_022B0F63 push ds; retf |
0_2_022B0F7C |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Code function: 0_2_022B0174 push ADC64FC2h; iretd |
0_2_022B0179 |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Code function: 0_2_022B2F47 push edx; retf |
0_2_022B2F48 |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Code function: 0_2_022B0144 push ADC64FC2h; iretd |
0_2_022B0149 |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Code function: 0_2_022B01AC push ADC64FC2h; iretd |
0_2_022B01B1 |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Code function: 0_2_022B1DFB push edx; retf |
0_2_022B1DFC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1D9EC598 push 941FABA6h; retf |
3_2_1D9EC64D |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00C231D9 |
3_2_00C231D9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00C233E3 |
3_2_00C233E3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00C233FD |
3_2_00C233FD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00C2323A |
3_2_00C2323A |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
RDTSC instruction interceptor: First address: 00000000022B1C7E second address: 00000000022B1CBD instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push ecx 0x0000000b test ax, cx 0x0000000e test dl, 00000017h 0x00000011 call 00007F21FCFA4CE6h 0x00000016 call 00007F21FCFA4CD8h 0x0000001b lfence 0x0000001e mov edx, dword ptr [7FFE0014h] 0x00000024 lfence 0x00000027 ret 0x00000028 mov esi, edx 0x0000002a pushad 0x0000002b rdtsc |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
RDTSC instruction interceptor: First address: 00000000022B1CBD second address: 00000000022B1CBD instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F21FCF9DB48h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 test eax, eax 0x00000022 dec ecx 0x00000023 cmp bh, bh 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F21FCF9DB1Eh 0x0000002a pushad 0x0000002b nop 0x0000002c nop 0x0000002d mov eax, 00000001h 0x00000032 cpuid 0x00000034 popad 0x00000035 push ecx 0x00000036 test ax, cx 0x00000039 test dl, 00000017h 0x0000003c call 00007F21FCF9DB66h 0x00000041 call 00007F21FCF9DB58h 0x00000046 lfence 0x00000049 mov edx, dword ptr [7FFE0014h] 0x0000004f lfence 0x00000052 ret 0x00000053 mov esi, edx 0x00000055 pushad 0x00000056 rdtsc |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
RDTSC instruction interceptor: First address: 00000000022B347F second address: 00000000022B347F instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000000C233C1 second address: 0000000000C233C1 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: RegAsm.exe, 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8 |
Source: RegAsm.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
RDTSC instruction interceptor: First address: 00000000022B1C7E second address: 00000000022B1CBD instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push ecx 0x0000000b test ax, cx 0x0000000e test dl, 00000017h 0x00000011 call 00007F21FCFA4CE6h 0x00000016 call 00007F21FCFA4CD8h 0x0000001b lfence 0x0000001e mov edx, dword ptr [7FFE0014h] 0x00000024 lfence 0x00000027 ret 0x00000028 mov esi, edx 0x0000002a pushad 0x0000002b rdtsc |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
RDTSC instruction interceptor: First address: 00000000022B1CBD second address: 00000000022B1CBD instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F21FCF9DB48h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 test eax, eax 0x00000022 dec ecx 0x00000023 cmp bh, bh 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F21FCF9DB1Eh 0x0000002a pushad 0x0000002b nop 0x0000002c nop 0x0000002d mov eax, 00000001h 0x00000032 cpuid 0x00000034 popad 0x00000035 push ecx 0x00000036 test ax, cx 0x00000039 test dl, 00000017h 0x0000003c call 00007F21FCF9DB66h 0x00000041 call 00007F21FCF9DB58h 0x00000046 lfence 0x00000049 mov edx, dword ptr [7FFE0014h] 0x0000004f lfence 0x00000052 ret 0x00000053 mov esi, edx 0x00000055 pushad 0x00000056 rdtsc |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
RDTSC instruction interceptor: First address: 00000000022B1DAB second address: 00000000022B1DAB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F21FCFA60E7h 0x0000001d popad 0x0000001e call 00007F21FCFA4CDAh 0x00000023 lfence 0x00000026 rdtsc |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
RDTSC instruction interceptor: First address: 00000000022B347F second address: 00000000022B347F instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000000C21DAB second address: 0000000000C21DAB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F21FCFA60E7h 0x0000001d popad 0x0000001e call 00007F21FCFA4CDAh 0x00000023 lfence 0x00000026 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000000C233C1 second address: 0000000000C233C1 instructions: |
Source: RegAsm.exe, 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8 |
Source: RegAsm.exe, 00000003.00000002.491917908.0000000000FE7000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: RegAsm.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00C233E3 mov eax, dword ptr fs:[00000030h] |
3_2_00C233E3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00C21BF5 mov eax, dword ptr fs:[00000030h] |
3_2_00C21BF5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00C233FD mov eax, dword ptr fs:[00000030h] |
3_2_00C233FD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00C22FBC mov eax, dword ptr fs:[00000030h] |
3_2_00C22FBC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00C22D7E mov eax, dword ptr fs:[00000030h] |
3_2_00C22D7E |
Source: RegAsm.exe, 00000003.00000002.492429654.0000000001420000.00000002.00000001.sdmp |
Binary or memory string: uProgram Manager |
Source: RegAsm.exe, 00000003.00000002.492429654.0000000001420000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: RegAsm.exe, 00000003.00000002.492429654.0000000001420000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: RegAsm.exe, 00000003.00000002.492429654.0000000001420000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6328, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6328, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6328, type: MEMORY |