{"Exfil Mode": "SMTP", "SMTP Info": "gmx@qrextechnologies.com2)4#8tVp2d%qmail.qrextechnologies.cominfo@qrextechnologies.com"}
Source: RegAsm.exe.900.15.memstrmin | Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "gmx@qrextechnologies.com2)4#8tVp2d%qmail.qrextechnologies.cominfo@qrextechnologies.com"} |
Source: NOTICE OF PAYMENT.exe | Virustotal: Detection: 37% | Perma Link |
Source: NOTICE OF PAYMENT.exe | ReversingLabs: Detection: 24% |
Source: https://qrextechnologies.com/barrr09_rjFnAm147.bin | Avira URL Cloud: Label: malware |
Source: NOTICE OF PAYMENT.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: unknown | HTTPS traffic detected: 109.71.254.175:443 -> 192.168.2.4:49831 version: TLS 1.2 |
Source: global traffic | HTTP traffic detected: GET /barrr09_rjFnAm147.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qrextechnologies.comCache-Control: no-cache |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49831 |
Source: unknown | Network traffic detected: HTTP traffic on port 49831 -> 443 |
Source: RegAsm.exe, 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp | String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: RegAsm.exe, 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp | String found in binary or memory: http://DynDns.comDynDNS |
Source: RegAsm.exe, 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp | String found in binary or memory: http://cthUYD.com |
Source: RegAsm.exe, 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp | String found in binary or memory: https://api.ipify.org%GETMozilla/5.0 |
Source: RegAsm.exe, 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: global traffic | HTTP traffic detected: GET /barrr09_rjFnAm147.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qrextechnologies.comCache-Control: no-cache |
Source: unknown | HTTPS traffic detected: 109.71.254.175:443 -> 192.168.2.4:49831 version: TLS 1.2 |
Source: NOTICE OF PAYMENT.exe | Static file information: Suspicious name |
Source: NOTICE OF PAYMENT.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_00408F9F | 0_2_00408F9F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_1FE847A0 | 15_2_1FE847A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_1FE84790 | 15_2_1FE84790 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 15_2_1FE84772 | 15_2_1FE84772 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Process Stats: CPU usage > 98% |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process Stats: CPU usage > 98% |
Source: NOTICE OF PAYMENT.exe, 00000000.00000000.662763122.000000000041D000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameDopesheetnix5.exe vs NOTICE OF PAYMENT.exe |
Source: NOTICE OF PAYMENT.exe | Binary or memory string: OriginalFilenameDopesheetnix5.exe vs NOTICE OF PAYMENT.exe |
Source: NOTICE OF PAYMENT.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: NOTICE OF PAYMENT.exe | Virustotal: Detection: 37% |
Source: NOTICE OF PAYMENT.exe | ReversingLabs: Detection: 24% |
Source: NOTICE OF PAYMENT.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: unknown | Process created: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe 'C:\Users\user\Desktop\NOTICE OF PAYMENT.exe' | |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\NOTICE OF PAYMENT.exe' | |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\NOTICE OF PAYMENT.exe' | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: classification engine | Classification label: mal100.rans.troj.evad.winEXE@4/0@1/1 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5508:120:WilError_01 |
Source: Yara match | File source: 00000000.00000002.1064174935.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_00405E76 push ds; ret | 0_2_00405E7A |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_00407821 push ecx; retf | 0_2_00407822 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_004062CE push es; ret | 0_2_004062D3 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_00403D0D push edi; iretd | 0_2_00403D13 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_00403B2F push esi; iretd | 0_2_00403B64 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_00406FCC pushfd ; retf | 0_2_00406FCD |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB44AB push edx; ret | 0_2_02AB44BE |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB4A89 push ds; ret | 0_2_02AB4AD9 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB1284 push edx; retf | 0_2_02AB1282 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB2A9D push eax; iretd | 0_2_02AB2AA4 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB4CE0 push ebx; ret | 0_2_02AB4CE6 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB44D7 push edx; ret | 0_2_02AB44BE |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB122A push edx; retf | 0_2_02AB1282 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB4E26 push edx; ret | 0_2_02AB4E4A |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB2624 push esi; ret | 0_2_02AB260A |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB2C32 push ecx; iretd | 0_2_02AB2C34 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB3436 push edx; ret | 0_2_02AB343A |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB560C push edx; retf | 0_2_02AB5626 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB1A05 push edx; ret | 0_2_02AB1A16 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB1019 push es; iretd | 0_2_02AB10B8 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB3A7C push esp; iretd | 0_2_02AB3A84 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB3A71 push edx; retf | 0_2_02AB3A7A |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB1874 push edx; ret | 0_2_02AB187A |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB25A8 push esi; ret | 0_2_02AB260A |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB432E push edi; retf | 0_2_02AB432F |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Code function: 0_2_02AB1B6D pushad ; iretd | 0_2_02AB1B90 |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe | Jump to behavior |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | File opened: C:\Program Files\qga\qga.exe | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | File opened: C:\Program Files\qga\qga.exe | Jump to behavior |
Source: NOTICE OF PAYMENT.exe, 00000000.00000002.1064212636.0000000002AD0000.00000004.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: NOTICE OF PAYMENT.exe, 00000000.00000002.1064212636.0000000002AD0000.00000004.00000001.sdmp | Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | RDTSC instruction interceptor: First address: 000000000040BA3A second address: 000000000040BA3A instructions: 0x00000000 rdtsc 0x00000002 cmp bh, FFFFFFAEh 0x00000005 xor eax, edx 0x00000007 cmp edx, 000000D5h 0x0000000d dec edi 0x0000000e cmp esi, 000000AFh 0x00000014 movd xmm6, eax 0x00000018 jmp 00007F830CB02BA1h 0x0000001a cmp edi, 00000000h 0x0000001d jne 00007F830CB02AC0h 0x00000023 cmp eax, 0000009Fh 0x00000028 mov ebx, 8E39E371h 0x0000002d cmp di, 00ECh 0x00000032 xor ebx, 70C88D55h 0x00000038 cmp dx, 00FAh 0x0000003d xor ebx, 7E685535h 0x00000043 cmp si, 00FCh 0x00000048 wait 0x00000049 jmp 00007F830CB02B9Fh 0x0000004b add ebx, 7FA6C4EFh 0x00000051 cmp ecx, 000000F9h 0x00000057 cmp cl, FFFFFFBAh 0x0000005a rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Window / User API: threadDelayed 895 | Jump to behavior |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Window / User API: threadDelayed 9105 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Window / User API: threadDelayed 810 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Window / User API: threadDelayed 2013 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: NOTICE OF PAYMENT.exe, 00000000.00000002.1064212636.0000000002AD0000.00000004.00000001.sdmp | Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll |
Source: NOTICE OF PAYMENT.exe, 00000000.00000002.1064212636.0000000002AD0000.00000004.00000001.sdmp | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: RegAsm.exe, 0000000F.00000002.1188201679.0000000001710000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: RegAsm.exe, 0000000F.00000002.1188201679.0000000001710000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: RegAsm.exe, 0000000F.00000002.1188201679.0000000001710000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: RegAsm.exe, 0000000F.00000002.1188201679.0000000001710000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation | Jump to behavior |
Source: Yara match | File source: 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: RegAsm.exe PID: 900, type: MEMORYSTR |
Source: Yara match | File source: 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: RegAsm.exe PID: 900, type: MEMORYSTR |
Source: Yara match | File source: 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: RegAsm.exe PID: 900, type: MEMORYSTR |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.