Source: 00000003.00000002.467242209.0000000000B01000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=163Z2wAbbuss9WV_lMGQhSMyvIRqk02oq", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]} |
Source: RegAsm.exe.3704.3.memstr |
Malware Configuration Extractor: Agenttesla {"Username: ": "Kz6StgI", "URL: ": "https://kgxZr9SNdkYE806O36R.com", "To: ": "paulpogba4687@gmail.com", "ByHost: ": "mail.felgui.pt:587", "Password: ": "=0Ab7YuNYukAG7", "From: ": "anapereira@felgui.pt"} |
Source: RegAsm.exe, 00000003.00000002.475025452.000000001D6A1000.00000004.00000001.sdmp |
String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: RegAsm.exe, 00000003.00000002.475025452.000000001D6A1000.00000004.00000001.sdmp |
String found in binary or memory: http://DynDns.comDynDNS |
Source: RegAsm.exe, 00000003.00000002.475025452.000000001D6A1000.00000004.00000001.sdmp |
String found in binary or memory: http://UugnHJ.com |
Source: RegAsm.exe, 00000003.00000002.466981864.0000000000A85000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: RegAsm.exe, 00000003.00000002.466981864.0000000000A85000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: RegAsm.exe, 00000003.00000002.466981864.0000000000A85000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q |
Source: RegAsm.exe, 00000003.00000002.466981864.0000000000A85000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0 |
Source: RegAsm.exe, 00000003.00000002.475681369.000000001D957000.00000004.00000001.sdmp |
String found in binary or memory: http://felgui.pt |
Source: RegAsm.exe, 00000003.00000002.475681369.000000001D957000.00000004.00000001.sdmp |
String found in binary or memory: http://mail.felgui.pt |
Source: RegAsm.exe, 00000003.00000002.466981864.0000000000A85000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: RegAsm.exe |
String found in binary or memory: https://drive.google.com/uc?export=download&id=163Z2wAbbuss9WV_lMGQhSMyvIRqk02oq |
Source: RegAsm.exe, 00000003.00000002.467242209.0000000000B01000.00000040.00000001.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=163Z2wAbbuss9WV_lMGQhSMyvIRqk02oq8 |
Source: RegAsm.exe, 00000003.00000002.475025452.000000001D6A1000.00000004.00000001.sdmp |
String found in binary or memory: https://kgxZr9SNdkYE806O36R.com |
Source: RegAsm.exe, 00000003.00000002.466981864.0000000000A85000.00000004.00000001.sdmp |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: RegAsm.exe, 00000003.00000002.475025452.000000001D6A1000.00000004.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C8BC8F8 |
3_2_1C8BC8F8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C8B2D50 |
3_2_1C8B2D50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C8B2618 |
3_2_1C8B2618 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C8B1FE0 |
3_2_1C8B1FE0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C8BAB70 |
3_2_1C8BAB70 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C945DB8 |
3_2_1C945DB8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C940114 |
3_2_1C940114 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C94C2F8 |
3_2_1C94C2F8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C946ECB |
3_2_1C946ECB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C946F78 |
3_2_1C946F78 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C97A860 |
3_2_1C97A860 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C97C1B0 |
3_2_1C97C1B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C97691A |
3_2_1C97691A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C97BA08 |
3_2_1C97BA08 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C972FD4 |
3_2_1C972FD4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C97A058 |
3_2_1C97A058 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C994E60 |
3_2_1C994E60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C996580 |
3_2_1C996580 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C99B0E8 |
3_2_1C99B0E8 |
Source: faktura_POfk.exe, 00000000.00000002.249424652.0000000002090000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs faktura_POfk.exe |
Source: faktura_POfk.exe, 00000000.00000002.249171582.0000000000412000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameHidings1.exe vs faktura_POfk.exe |
Source: faktura_POfk.exe, 00000000.00000002.250122095.0000000002970000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameHidings1.exeFE2XADP vs faktura_POfk.exe |
Source: faktura_POfk.exe |
Binary or memory string: OriginalFilenameHidings1.exe vs faktura_POfk.exe |
Source: unknown |
Process created: C:\Users\user\Desktop\faktura_POfk.exe 'C:\Users\user\Desktop\faktura_POfk.exe' |
|
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\faktura_POfk.exe' |
|
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\faktura_POfk.exe' |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\faktura_POfk.exe' |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\faktura_POfk.exe' |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Code function: 0_2_00406C7A push ss; iretd |
0_2_00406CC0 |
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Code function: 0_2_00405B9B pushad ; iretd |
0_2_00405B9C |
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Code function: 0_2_020C0022 push esp; ret |
0_2_020C0023 |
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Code function: 0_2_020C305F push ecx; ret |
0_2_020C3060 |
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Code function: 0_2_020C1CD7 push edi; iretd |
0_2_020C1CD9 |
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Code function: 0_2_020C1F03 push 5CE4906Ch; retf |
0_2_020C1F10 |
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Code function: 0_2_020C355F push ebp; retf |
0_2_020C356E |
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Code function: 0_2_020C0981 push ds; iretd |
0_2_020C0A0E |
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Code function: 0_2_020C13C3 push cs; ret |
0_2_020C13C4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C8B7A37 push edi; retn 0000h |
3_2_1C8B7A39 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C9494D4 push esi; iretd |
3_2_1C9494D5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C94D09A push ss; iretd |
3_2_1C94D09C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C94D0A2 push ss; iretd |
3_2_1C94D0A7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_1C990DD0 push 3C1C98CBh; retf |
3_2_1C990DD5 |
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_POfk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_POfk.exe |
RDTSC instruction interceptor: First address: 00000000020C1897 second address: 00000000020C1897 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FA9E8A0E888h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test dx, bx 0x00000021 add edi, edx 0x00000023 dec ecx 0x00000024 cmp ecx, 00000000h 0x00000027 jne 00007FA9E8A0E85Ch 0x00000029 push ecx 0x0000002a pushad 0x0000002b mov dx, 901Ch 0x0000002f cmp dx, 901Ch 0x00000034 jne 00007FA9E8A0D24Fh 0x0000003a popad 0x0000003b test dx, ax 0x0000003e call 00007FA9E8A0E89Eh 0x00000043 call 00007FA9E8A0E898h 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc |
Source: C:\Users\user\Desktop\faktura_POfk.exe |
RDTSC instruction interceptor: First address: 00000000020C1971 second address: 00000000020C1971 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FA9E88745D9h 0x0000001d popad 0x0000001e call 00007FA9E88733A6h 0x00000023 lfence 0x00000026 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000000B01971 second address: 0000000000B01971 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FA9E8A0FAD9h 0x0000001d popad 0x0000001e call 00007FA9E8A0E8A6h 0x00000023 lfence 0x00000026 rdtsc |
Source: RegAsm.exe, 00000003.00000002.468271202.0000000001250000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: RegAsm.exe, 00000003.00000002.468271202.0000000001250000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: RegAsm.exe, 00000003.00000002.468271202.0000000001250000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: RegAsm.exe, 00000003.00000002.468271202.0000000001250000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |