Analysis Report Zapytanie ofertowe (THERMAR 04152021).exe

Overview

General Information

Sample Name: Zapytanie ofertowe (THERMAR 04152021).exe
Analysis ID: 387921
MD5: db9c85fd056d349b140e717463f96af7
SHA1: 35c6ade22bb43f1a540ca038685bc9972cf6bea7
SHA256: e43b31d2b2446cd82a278f282ac128721a9d8b7718524eab066f5ed7eac40c1e
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1BF_RKNN40fiNL_rA9Ky9I27K_BuXgL1x", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
Source: RegAsm.exe.2028.2.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "vItWU", "URL: ": "https://H59hPIoLS2g1MK.net", "To: ": "barbosabronx@yandex.com", "ByHost: ": "mail.aepa.ws:587", "Password: ": "c5h9ISinvw", "From: ": "info@aepa.ws"}
Multi AV Scanner detection for submitted file
Source: Zapytanie ofertowe (THERMAR 04152021).exe Virustotal: Detection: 16% Perma Link
Source: Zapytanie ofertowe (THERMAR 04152021).exe ReversingLabs: Detection: 14%
Machine Learning detection for sample
Source: Zapytanie ofertowe (THERMAR 04152021).exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Zapytanie ofertowe (THERMAR 04152021).exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 216.58.214.225:443 -> 192.168.2.22:49166 version: TLS 1.2

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1BF_RKNN40fiNL_rA9Ky9I27K_BuXgL1x
Source: Malware configuration extractor URLs: https://H59hPIoLS2g1MK.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 185.127.128.20:587
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 185.127.128.20:587
Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com3 equals www.linkedin.com (Linkedin)
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: doc-00-74-docs.googleusercontent.com
Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp String found in binary or memory: http://HCWjJU.com
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: RegAsm.exe, 00000002.00000002.3148699743.000000001E16A000.00000004.00000001.sdmp String found in binary or memory: http://aepa.ws
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegAsm.exe, 00000002.00000002.3144625845.0000000000855000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RegAsm.exe, 00000002.00000002.3148146381.000000001D650000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe, 00000002.00000002.3148291480.000000001D71B000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: RegAsm.exe, 00000002.00000002.3148233406.000000001D6A6000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 00000002.00000002.3148233406.000000001D6A6000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000002.00000002.3148291480.000000001D71B000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f07397a481be1
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: RegAsm.exe, 00000002.00000002.3148699743.000000001E16A000.00000004.00000001.sdmp String found in binary or memory: http://mail.aepa.ws
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: RegAsm.exe, 00000002.00000002.3148146381.000000001D650000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.gva.es0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: RegAsm.exe, 00000002.00000002.3144872150.0000000002610000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: RegAsm.exe, 00000002.00000002.3149408902.0000000021550000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: RegAsm.exe, 00000002.00000002.3144872150.0000000002610000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at0E
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.certifikat.dk/repository0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: RegAsm.exe, 00000002.00000002.3149242845.0000000020D04000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://www.chambersign.org1
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.comsign.co.il/cps0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.crc.bg0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.disig.sk/ca0f
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.firmaprofesional.com0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0%
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://www.sk.ee/cps/0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.ssc.lt/cps03
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.valicert.com/1
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: RegAsm.exe, 00000002.00000002.3148657676.000000001E11E000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.3148731419.000000001E194000.00000004.00000001.sdmp String found in binary or memory: https://H59hPIoLS2g1MK.net
Source: RegAsm.exe, 00000002.00000002.3148657676.000000001E11E000.00000004.00000001.sdmp String found in binary or memory: https://H59hPIoLS2g1MK.netLX
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp String found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000002.00000002.3144572077.00000000007D9000.00000004.00000020.sdmp String found in binary or memory: https://doc-00-74-docs.googleusercontent.com/GG
Source: RegAsm.exe, 00000002.00000002.3144636278.0000000000869000.00000004.00000020.sdmp String found in binary or memory: https://doc-00-74-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/1c5gv62u
Source: RegAsm.exe, 00000002.00000002.3144572077.00000000007D9000.00000004.00000020.sdmp String found in binary or memory: https://doc-00-74-docs.googleusercontent.com/tG
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe String found in binary or memory: https://drive.google.com/uc?export=download&id=1BF_RKNN40fiNL_rA9Ky9I27K_BuXgL1x
Source: RegAsm.exe, 00000002.00000002.3148146381.000000001D650000.00000004.00000001.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: https://www.netlock.hu/docs/
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp String found in binary or memory: https://www.netlock.net/docs
Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown HTTPS traffic detected: 216.58.214.225:443 -> 192.168.2.22:49166 version: TLS 1.2

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process Stats: CPU usage > 98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00306D48 NtProtectVirtualMemory, 2_2_00306D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307278 NtQueryInformationProcess, 2_2_00307278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307427 NtQueryInformationProcess, 2_2_00307427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307400 NtQueryInformationProcess, 2_2_00307400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307470 NtQueryInformationProcess, 2_2_00307470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0030744B NtQueryInformationProcess, 2_2_0030744B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307492 NtQueryInformationProcess, 2_2_00307492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003074DE NtQueryInformationProcess, 2_2_003074DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00306D11 NtProtectVirtualMemory, 2_2_00306D11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307504 NtQueryInformationProcess, 2_2_00307504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307579 NtQueryInformationProcess, 2_2_00307579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307553 NtQueryInformationProcess, 2_2_00307553
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003075AA NtQueryInformationProcess, 2_2_003075AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003075E7 NtQueryInformationProcess, 2_2_003075E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003075CA NtQueryInformationProcess, 2_2_003075CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307621 NtQueryInformationProcess, 2_2_00307621
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307603 NtQueryInformationProcess, 2_2_00307603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307662 NtQueryInformationProcess, 2_2_00307662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003072AF NtQueryInformationProcess, 2_2_003072AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307290 NtQueryInformationProcess, 2_2_00307290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307680 NtQueryInformationProcess, 2_2_00307680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003072F3 NtQueryInformationProcess, 2_2_003072F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003072D2 NtQueryInformationProcess, 2_2_003072D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307336 NtQueryInformationProcess, 2_2_00307336
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307313 NtQueryInformationProcess, 2_2_00307313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0030737A NtQueryInformationProcess, 2_2_0030737A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307355 NtQueryInformationProcess, 2_2_00307355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00307399 NtQueryInformationProcess, 2_2_00307399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003073DF NtQueryInformationProcess, 2_2_003073DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003073C3 NtQueryInformationProcess, 2_2_003073C3
Detected potential crypto function
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_004095BA 0_2_004095BA
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_00409CD1 0_2_00409CD1
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_0040989A 0_2_0040989A
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_0040A159 0_2_0040A159
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_00409D62 0_2_00409D62
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_0040996B 0_2_0040996B
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_0040A119 0_2_0040A119
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_00409924 0_2_00409924
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_0040A1F2 0_2_0040A1F2
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_00409E40 0_2_00409E40
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_00409E7F 0_2_00409E7F
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_00409A01 0_2_00409A01
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_00409637 0_2_00409637
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_00410EC8 0_2_00410EC8
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_00409685 0_2_00409685
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_0040A288 0_2_0040A288
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_00409F0D 0_2_00409F0D
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_00409711 0_2_00409711
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_00409FA0 0_2_00409FA0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_00409BAB 0_2_00409BAB
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_004097AF 0_2_004097AF
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_002E0156 0_2_002E0156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_006F9050 2_2_006F9050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_006FEE88 2_2_006FEE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_006F5C80 2_2_006F5C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_006F0168 2_2_006F0168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_006FC7E8 2_2_006FC7E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_006F9620 2_2_006F9620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_006F2CC8 2_2_006F2CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_006F3F78 2_2_006F3F78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_006F834D 2_2_006F834D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_006F2D28 2_2_006F2D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_006F25D0 2_2_006F25D0
PE file contains strange resources
Source: Zapytanie ofertowe (THERMAR 04152021).exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Zapytanie ofertowe (THERMAR 04152021).exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000000.2063507468.000000000041A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameGALDEBR.exe vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewersvcj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewbengine.exe.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepuiapi.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWfsR.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewmplayer.exe.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemsfltr32.acm.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameaudiosrv.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamebatt.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMDMINST.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWCNCSVC.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamePOWRPROF.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameAUTOPLAY.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamedmdskres.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamegpscript.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamesdcpl.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamesrchadmin.dll.mui@ vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWPDSp.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameVfWWDM32.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameUsbui.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameERCj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamecscsvc.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameehRecvr.exe.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamessdpsrv.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameRUNDLL32.EXE.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenetcfgx.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemsfeedsbs.dll.muiD vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameunregmp2.exe.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWUDFSvc.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWPCCPL.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameTrustedInstaller.exe.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameUxTheme.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenetprof.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamebattc.sys.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewevtsvc.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameappmgmts.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamesti_ci.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamefaultrep.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewdc.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameqwavedrv.sys.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewucltux.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameunpnhost.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameappinfo.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemidimap.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemmcndmgr.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameAccessibilityCpl.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMSRATING.DLL.MUID vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameoleres.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewmploc.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameACCTRES.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameOLEACCRC.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameIPBusEnum.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamerstrui.exe.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameieinstal.exe.muiD vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewmisvc.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSRVSVC.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamedeskadp.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamePowerCPL.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemsadp32.acm.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSRV.SYS.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameiccvid.drv.muiN vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamegpapi.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamebluetooth.cpl.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewpd_ci.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameINETRES.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMFC42.DLL.MUIR vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSWPRV.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamePhotoScreensaver.scr.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameATL.DLL.MUIR vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemmcbase.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamelhdfrgui.exe.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamePDH.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWMPNSSCI.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamescsiport.sys.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameAVIFIL32.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemmci.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenametermsrv.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameBubblesj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameIE4UINIT.EXE.MUID vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameiedkcs32.dll.muiD vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWinMail.exe.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewevtutil.exe.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameTBSSVC.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameulib.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamei8042prt.sys.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemycomput.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameparport.sys.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamedsound.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamefwcfg.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameqwave.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameumrdp.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameehres.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWMPSideShowGadgetj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameonex.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemsvfw32.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamethumbcache.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamelocalsec.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameUI0Detect.exe.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWLANGPUI.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMSV1_0.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamehotplug.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSTI.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemmcss.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewuaueng.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameOLE32.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamew32time.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameslui.exe.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameUSERCPL.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenametaskschd.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWMDM.dll.muiZ vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamebthci.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMSHTMLER.DLL.MUID vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenapdsnap.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameREGSVC.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamesbdropj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamebrserid.sys.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamecomdlg32.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSXS.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamedps.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWMPNSCFG.EXE.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamesdclt.exe.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWEBCHECK.DLL.MUID vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameAuxiliaryDisplayCpl.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMBLCTR.EXE.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameEFSADU.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWPDMTPDR.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameNetworkItemFactory.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameaudiodev.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameaelupsvc.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamejscript.dll.muiH vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamegpedit.dll.muij% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMSOERES.DLL.MUIj% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2952786096.0000000000588000.00000004.00000040.sdmp Binary or memory string: OriginalFilenameGALDEBR.exeFE2X vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2952433246.00000000001F0000.00000008.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2952513411.0000000000314000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameRegAsm.exeT vs Zapytanie ofertowe (THERMAR 04152021).exe
Source: Zapytanie ofertowe (THERMAR 04152021).exe Binary or memory string: OriginalFilenameGALDEBR.exe vs Zapytanie ofertowe (THERMAR 04152021).exe
Uses 32bit PE files
Source: Zapytanie ofertowe (THERMAR 04152021).exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@7/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\KTDIPTU6.txt Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe File created: C:\Users\user\AppData\Local\Temp\~DF0A81196D88116507.TMP Jump to behavior
Source: Zapytanie ofertowe (THERMAR 04152021).exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Zapytanie ofertowe (THERMAR 04152021).exe Virustotal: Detection: 16%
Source: Zapytanie ofertowe (THERMAR 04152021).exe ReversingLabs: Detection: 14%
Source: unknown Process created: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY
PE file contains an invalid checksum
Source: Zapytanie ofertowe (THERMAR 04152021).exe Static PE information: real checksum: 0x20705 should be: 0x2309f
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_0040C87D pushad ; ret 0_2_0040C8B2
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_0040C1C5 push 7600FFCEh; iretd 0_2_0040C1CA
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_00403191 pushad ; iretd 0_2_00403192
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_004082EC push edi; ret 0_2_004082F4
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_004056FA push FFFFFFB0h; ret 0_2_004056FC
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_002E0052 push edx; ret 0_2_002E005C
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_002E4852 push cs; ret 0_2_002E4853
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_002E5699 push ds; ret 0_2_002E56A6
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_002E0100 push 944EEDE5h; retf 0_2_002E0112

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (71).png
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00303BC7 InternetOpenA,InternetOpenUrlA, 2_2_00303BC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0030283F 2_2_0030283F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0030287C 2_2_0030287C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003028D5 2_2_003028D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0030291A 2_2_0030291A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00302961 2_2_00302961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003029A6 2_2_003029A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00302594 CredGetTargetInfoW, 2_2_00302594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003029F7 2_2_003029F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00302A2D 2_2_00302A2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0030620B 2_2_0030620B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00302A77 2_2_00302A77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00303E48 2_2_00303E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00303E82 2_2_00303E82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003066FB 2_2_003066FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00302F2A 2_2_00302F2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003027AE 2_2_003027AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0030278C 2_2_0030278C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003027EE 2_2_003027EE
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E060F second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cl, dl 0x0000000c call 00007F0048FFEB15h 0x00000011 test ax, 00008F5Ah 0x00000015 call 00007F0048FFBC1Eh 0x0000001a jmp 00007F0048FFBD6Ah 0x0000001c test edx, D54F987Eh 0x00000022 xor edi, edi 0x00000024 test bx, bx 0x00000027 mov ecx, 00A95F60h 0x0000002c cmp dl, dl 0x0000002e test dh, bh 0x00000030 test cl, dl 0x00000032 push ecx 0x00000033 test bl, dl 0x00000035 call 00007F0048FFBDAEh 0x0000003a call 00007F0048FFBD68h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E334B second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0048E2FB08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F0048E2FB1Ah 0x0000001f cmp al, al 0x00000021 pop ecx 0x00000022 test ch, ch 0x00000024 add edi, edx 0x00000026 test ah, 00000072h 0x00000029 dec ecx 0x0000002a cmp bl, cl 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007F0048E2FACCh 0x00000031 test cl, dl 0x00000033 push ecx 0x00000034 test bl, dl 0x00000036 call 00007F0048E2FB5Eh 0x0000003b call 00007F0048E2FB18h 0x00000040 lfence 0x00000043 mov edx, dword ptr [7FFE0014h] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E3438 second address: 00000000002E3591 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp ebx, edx 0x0000000c jmp 00007F0048E2FB1Ah 0x0000000e test al, 9Dh 0x00000010 push ecx 0x00000011 cmp eax, ebx 0x00000013 test ch, FFFFFFE9h 0x00000016 call 00007F0048E2FBCBh 0x0000001b call 00007F0048E2FB5Dh 0x00000020 lfence 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E0696 second address: 00000000002E0696 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E673B second address: 00000000002E673B instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E40C0 second address: 00000000002E40C0 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E7464 second address: 00000000002E7464 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E76B5 second address: 00000000002E76B5 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000301A80 second address: 0000000000301A80 instructions:
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Tries to detect Any.run
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe, 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E060F second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cl, dl 0x0000000c call 00007F0048FFEB15h 0x00000011 test ax, 00008F5Ah 0x00000015 call 00007F0048FFBC1Eh 0x0000001a jmp 00007F0048FFBD6Ah 0x0000001c test edx, D54F987Eh 0x00000022 xor edi, edi 0x00000024 test bx, bx 0x00000027 mov ecx, 00A95F60h 0x0000002c cmp dl, dl 0x0000002e test dh, bh 0x00000030 test cl, dl 0x00000032 push ecx 0x00000033 test bl, dl 0x00000035 call 00007F0048FFBDAEh 0x0000003a call 00007F0048FFBD68h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E334B second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0048E2FB08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F0048E2FB1Ah 0x0000001f cmp al, al 0x00000021 pop ecx 0x00000022 test ch, ch 0x00000024 add edi, edx 0x00000026 test ah, 00000072h 0x00000029 dec ecx 0x0000002a cmp bl, cl 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007F0048E2FACCh 0x00000031 test cl, dl 0x00000033 push ecx 0x00000034 test bl, dl 0x00000036 call 00007F0048E2FB5Eh 0x0000003b call 00007F0048E2FB18h 0x00000040 lfence 0x00000043 mov edx, dword ptr [7FFE0014h] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E3418 second address: 00000000002E3438 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp al, dl 0x0000000d xor edi, edi 0x0000000f test al, cl 0x00000011 mov ecx, 000186A0h 0x00000016 test ax, dx 0x00000019 cmp edx, F977E25Ah 0x0000001f pushad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E3438 second address: 00000000002E3591 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp ebx, edx 0x0000000c jmp 00007F0048E2FB1Ah 0x0000000e test al, 9Dh 0x00000010 push ecx 0x00000011 cmp eax, ebx 0x00000013 test ch, FFFFFFE9h 0x00000016 call 00007F0048E2FBCBh 0x0000001b call 00007F0048E2FB5Dh 0x00000020 lfence 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E3591 second address: 00000000002E3591 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F0048FFE9D4h 0x0000001d popad 0x0000001e call 00007F0048FFBD95h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E0696 second address: 00000000002E0696 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E673B second address: 00000000002E673B instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E40C0 second address: 00000000002E40C0 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E7464 second address: 00000000002E7464 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe RDTSC instruction interceptor: First address: 00000000002E76B5 second address: 00000000002E76B5 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000303418 second address: 0000000000303591 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp al, dl 0x0000000d xor edi, edi 0x0000000f test al, cl 0x00000011 mov ecx, 000186A0h 0x00000016 test ax, dx 0x00000019 cmp edx, F977E25Ah 0x0000001f pushad 0x00000020 nop 0x00000021 nop 0x00000022 mov eax, 00000001h 0x00000027 cpuid 0x00000029 popad 0x0000002a cmp ebx, edx 0x0000002c jmp 00007F0048FFBD6Ah 0x0000002e test al, 9Dh 0x00000030 push ecx 0x00000031 cmp eax, ebx 0x00000033 test ch, FFFFFFE9h 0x00000036 call 00007F0048FFBE1Bh 0x0000003b call 00007F0048FFBDADh 0x00000040 lfence 0x00000043 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000303591 second address: 0000000000303591 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F0048E32784h 0x0000001d popad 0x0000001e call 00007F0048E2FB45h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000301A80 second address: 0000000000301A80 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_004095BA rdtsc 0_2_004095BA
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Window / User API: threadDelayed 375 Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Window / User API: threadDelayed 9625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 9636 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2564 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2100 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2100 Thread sleep time: -120000s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 30000 Jump to behavior
Source: RegAsm.exe, 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Code function: 0_2_004095BA rdtsc 0_2_004095BA
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00303A7B LdrInitializeThunk, 2_2_00303A7B
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00303160 mov eax, dword ptr fs:[00000030h] 2_2_00303160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00303162 mov eax, dword ptr fs:[00000030h] 2_2_00303162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003055B8 mov eax, dword ptr fs:[00000030h] 2_2_003055B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003055BA mov eax, dword ptr fs:[00000030h] 2_2_003055BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003055DF mov eax, dword ptr fs:[00000030h] 2_2_003055DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00305E5C mov eax, dword ptr fs:[00000030h] 2_2_00305E5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00305E42 mov eax, dword ptr fs:[00000030h] 2_2_00305E42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003066FB mov eax, dword ptr fs:[00000030h] 2_2_003066FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003066D0 mov eax, dword ptr fs:[00000030h] 2_2_003066D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00306722 mov eax, dword ptr fs:[00000030h] 2_2_00306722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_003067B4 mov eax, dword ptr fs:[00000030h] 2_2_003067B4
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 300000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe' Jump to behavior
Source: RegAsm.exe, 00000002.00000002.3144842926.0000000001210000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000002.00000002.3144842926.0000000001210000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000002.00000002.3144842926.0000000001210000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000002.00000002.3148623210.000000001E0CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000002.00000002.3148623210.000000001E0CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY