Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp | String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp | String found in binary or memory: http://DynDns.comDynDNS |
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp | String found in binary or memory: http://cthUYD.com |
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp | String found in binary or memory: https://api.ipify.org%GETMozilla/5.0 |
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp | String found in binary or memory: https://qrextechnologies.com/barrr09_HVPbNJre68.bin |
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp | String found in binary or memory: https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0 |
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_004017AC |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_0224282A |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_022428A3 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_02245CAF |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_022406C3 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_02240ED2 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_02240F34 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_02240702 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_0224651E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 25_2_1DD747A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 25_2_1DD74790 |
Source: HSBC Customer Information.exe, 00000000.00000000.208413125.000000000041D000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameBlankningscu5.exe vs HSBC Customer Information.exe |
Source: HSBC Customer Information.exe | Binary or memory string: OriginalFilenameBlankningscu5.exe vs HSBC Customer Information.exe |
Source: unknown | Process created: C:\Users\user\Desktop\HSBC Customer Information.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe' |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe' |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe' |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_00407D36 push 0000000Fh; ret |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_004059AE push ecx; ret |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_02241E3C push esp; ret |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_0224460E push ebp; iretd |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_02244412 push esp; retf |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_0224301F push ebx; iretd |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_02240A5C push esi; retf |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_022446B5 push ebp; iretd |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_02242D18 push ebx; iretd |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_02246B6D push ecx; retf |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_022441BE push ebx; iretd |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_02241F89 push 0000001Dh; ret |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_02244192 push ebx; iretd |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_022467E2 pushad ; retf |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Code function: 0_2_022445F1 push ebp; iretd |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | File opened: C:\Program Files\qga\qga.exe |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | File opened: C:\Program Files\qga\qga.exe |
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp | Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=HTTPS://QREXTECHNOLOGIES.COM/BARRR09_HVPBNJRE68.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO |
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp, RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp | Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | RDTSC instruction interceptor: First address: 000000000040BC41 second address: 000000000040BC41 instructions: 0x00000000 rdtsc 0x00000002 cmp edx, 000000F3h 0x00000008 xor eax, edx 0x0000000a cmp cx, 00E8h 0x0000000f dec edi 0x00000010 cmp bx, 00DDh 0x00000015 fabs 0x00000017 jmp 00007FC36C4BB470h 0x00000019 cmp edi, 00000000h 0x0000001c jne 00007FC36C4BB393h 0x00000022 cmp si, 00BBh 0x00000027 mov ebx, F06F76B6h 0x0000002c cmp dh, FFFFFFACh 0x0000002f sub ebx, 2716C148h 0x00000035 cmp ebx, 24h 0x00000038 xor ebx, 6F5BB001h 0x0000003e cmp di, 0030h 0x00000042 punpckldq mm1, mm7 0x00000045 jmp 00007FC36C4BB474h 0x00000047 xor ebx, A643056Fh 0x0000004d cmp ah, 00000026h 0x00000050 cmp cl, FFFFFF90h 0x00000053 rdtsc |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Window / User API: threadDelayed 684 |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Window / User API: threadDelayed 9316 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Window / User API: threadDelayed 9139 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Window / User API: threadDelayed 685 |
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp | Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko |
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp | Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll |
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp, RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\HSBC Customer Information.exe | Thread information set: HideFromDebugger |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread information set: HideFromDebugger |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread information set: HideFromDebugger |
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.