Source: Yara match |
File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: |
Binary string: VCBJER234.pdb source: wscript.exe, 00000000.00000003.371603253.0000000003ED3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371785671.000000000476B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371651218.0000000003BCE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371908468.0000000004410000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.364263905.00000000012F2000.00000020.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr |
Source: |
Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06 |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.entrust.net/server1.crl0 |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0 |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0 |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0% |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0- |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0/ |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com05 |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.entrust.net03 |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.entrust.net0D |
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002777000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002794000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://transfer.adttemp.com.br |
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002794000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://transfer.adttemp.com.brX |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.digicert.com.my/cps.htm02 |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0 |
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://secure.comodo.com/CPS0 |
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002777000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://transfer.adttemp.com.br |
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002777000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://transfer.adttemp.com.br/hUkry/sirdeeeeee.txt |
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002777000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://transfer.adttemp.com.br/hUkry/sirdeeeeee.txtX~ |
Source: Yara match |
File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0042C563 NtClose, |
3_2_0042C563 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022F07AC NtCreateMutant,LdrInitializeThunk, |
3_2_022F07AC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFAE8 NtQueryInformationProcess,LdrInitializeThunk, |
3_2_022EFAE8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFB68 NtFreeVirtualMemory,LdrInitializeThunk, |
3_2_022EFB68 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EF9F0 NtClose,LdrInitializeThunk, |
3_2_022EF9F0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFDC0 NtQuerySystemInformation,LdrInitializeThunk, |
3_2_022EFDC0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022F0060 NtQuerySection, |
3_2_022F0060 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022F0078 NtResumeThread, |
3_2_022F0078 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022F0048 NtProtectVirtualMemory, |
3_2_022F0048 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022F00C4 NtCreateFile, |
3_2_022F00C4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022F10D0 NtOpenProcessToken, |
3_2_022F10D0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022F010C NtOpenDirectoryObject, |
3_2_022F010C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022F1148 NtOpenThread, |
3_2_022F1148 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022F01D4 NtSetValueKey, |
3_2_022F01D4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFA20 NtQueryInformationFile, |
3_2_022EFA20 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFA50 NtEnumerateValueKey, |
3_2_022EFA50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFAB8 NtQueryValueKey, |
3_2_022EFAB8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFAD0 NtAllocateVirtualMemory, |
3_2_022EFAD0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFB50 NtCreateKey, |
3_2_022EFB50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFBB8 NtQueryInformationToken, |
3_2_022EFBB8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFBE8 NtQueryVirtualMemory, |
3_2_022EFBE8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EF8CC NtWaitForSingleObject, |
3_2_022EF8CC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EF938 NtWriteFile, |
3_2_022EF938 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022F1930 NtSetContextThread, |
3_2_022F1930 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EF900 NtReadFile, |
3_2_022EF900 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFE24 NtWriteVirtualMemory, |
3_2_022EFE24 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFEA0 NtReadVirtualMemory, |
3_2_022EFEA0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFED0 NtAdjustPrivilegesToken, |
3_2_022EFED0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFF34 NtQueueApcThread, |
3_2_022EFF34 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFFB4 NtCreateSection, |
3_2_022EFFB4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFFFC NtCreateProcessEx, |
3_2_022EFFFC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFC30 NtOpenProcess, |
3_2_022EFC30 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFC60 NtMapViewOfSection, |
3_2_022EFC60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFC48 NtSetInformationFile, |
3_2_022EFC48 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022F0C40 NtGetContextThread, |
3_2_022F0C40 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFC90 NtUnmapViewOfSection, |
3_2_022EFC90 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFD5C NtEnumerateKey, |
3_2_022EFD5C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022EFD8C NtDelayExecution, |
3_2_022EFD8C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022F1D80 NtSuspendThread, |
3_2_022F1D80 |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Code function: 2_2_002C9970 |
2_2_002C9970 |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Code function: 2_2_002C8148 |
2_2_002C8148 |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Code function: 2_2_002C1A60 |
2_2_002C1A60 |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Code function: 2_2_002C16D0 |
2_2_002C16D0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00402350 |
3_2_00402350 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0042EB83 |
3_2_0042EB83 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0040FCFB |
3_2_0040FCFB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00404486 |
3_2_00404486 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0040FD03 |
3_2_0040FD03 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00402E60 |
3_2_00402E60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_004166B3 |
3_2_004166B3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0040FF23 |
3_2_0040FF23 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0040DFA3 |
3_2_0040DFA3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_023A1238 |
3_2_023A1238 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022FE2E9 |
3_2_022FE2E9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_02302305 |
3_2_02302305 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0234A37B |
3_2_0234A37B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_02307353 |
3_2_02307353 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_023A63BF |
3_2_023A63BF |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022FF3CF |
3_2_022FF3CF |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_023263DB |
3_2_023263DB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0232D005 |
3_2_0232D005 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0231905A |
3_2_0231905A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_02303040 |
3_2_02303040 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022FE0C6 |
3_2_022FE0C6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0234A634 |
3_2_0234A634 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_023A2622 |
3_2_023A2622 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_02304680 |
3_2_02304680 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0230E6C1 |
3_2_0230E6C1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0230C7BC |
3_2_0230C7BC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0238579A |
3_2_0238579A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_023357C3 |
3_2_023357C3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0233D47D |
3_2_0233D47D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_02335485 |
3_2_02335485 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_02311489 |
3_2_02311489 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0230351F |
3_2_0230351F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_02346540 |
3_2_02346540 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0231C5F0 |
3_2_0231C5F0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_023B3A83 |
3_2_023B3A83 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_02327B00 |
3_2_02327B00 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_023ACBA4 |
3_2_023ACBA4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0238DBDA |
3_2_0238DBDA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022FFBD7 |
3_2_022FFBD7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0232286D |
3_2_0232286D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0230C85C |
3_2_0230C85C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0239F8EE |
3_2_0239F8EE |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_02385955 |
3_2_02385955 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_023029B2 |
3_2_023029B2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_023A098E |
3_2_023A098E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_023169FE |
3_2_023169FE |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_02332E2F |
3_2_02332E2F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0231EE4C |
3_2_0231EE4C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_02310F3F |
3_2_02310F3F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0232DF7C |
3_2_0232DF7C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_02330D3B |
3_2_02330D3B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0230CD5B |
3_2_0230CD5B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0239FDDD |
3_2_0239FDDD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: String function: 02343F92 appears 108 times |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: String function: 0234373B appears 238 times |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: String function: 022FE2A8 appears 38 times |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: String function: 0236F970 appears 81 times |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: String function: 022FDF5C appears 118 times |
|
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: temp_executable.exe.0.dr, AesHelper.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, AesHelper.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: unknown |
Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\KjFT0qPTo4.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe" |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: bcrypt.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: rpcrtremote.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msdart.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: bcrypt.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: rasapi32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: rasman.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: rtutils.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: credssp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: samcli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: msacm32.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: |
Binary string: VCBJER234.pdb source: wscript.exe, 00000000.00000003.371603253.0000000003ED3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371785671.000000000476B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371651218.0000000003BCE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371908468.0000000004410000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.364263905.00000000012F2000.00000020.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr |
Source: |
Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp |
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs |
.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777264)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777245))}) |
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs |
.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777264)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777245))}) |
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs |
.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777264)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777245))}) |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_004030E0 push eax; ret |
3_2_004030E2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0041488D pushfd ; iretd |
3_2_0041488F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00401966 push esi; iretd |
3_2_00401967 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00402179 push ss; retf |
3_2_0040213D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00415AE7 pushad ; ret |
3_2_00415AE9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0040D4C7 push edx; ret |
3_2_0040D514 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0040D4CD push edx; ret |
3_2_0040D514 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_004154B9 push edi; retf |
3_2_004154BA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00418DD0 push ebp; ret |
3_2_00418DE6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_0040D589 push edx; ret |
3_2_0040D514 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_004116BB push edi; retf |
3_2_004116BC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00413FC3 push edi; ret |
3_2_00413FCE |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_022FDFA1 push ecx; ret |
3_2_022FDFB4 |
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs |
High entropy of concatenated method names: 'D4r4O0AxSI', 'CwecqSo7Q1xXT', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy' |
Source: temp_executable.exe.0.dr, R2mIapWar4cwoqqx6Q.cs |
High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X' |
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs |
High entropy of concatenated method names: 'D4r4O0AxSI', 'CwecqSo7Q1xXT', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy' |
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, R2mIapWar4cwoqqx6Q.cs |
High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X' |
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs |
High entropy of concatenated method names: 'D4r4O0AxSI', 'CwecqSo7Q1xXT', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy' |
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, R2mIapWar4cwoqqx6Q.cs |
High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X' |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe TID: 3300 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3364 |
Thread sleep count: 495 > 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3328 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3400 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: temp_executable.exe.0.dr, ProcessExecutor.cs |
Reference to suspicious API methods: App.ReadProcessMemory(Settings.pi.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead) |
Source: temp_executable.exe.0.dr, ProcessExecutor.cs |
Reference to suspicious API methods: App.VirtualAllocEx(Settings.pi.ProcessHandle, num2, length, 12288, 64) |
Source: temp_executable.exe.0.dr, ProcessExecutor.cs |
Reference to suspicious API methods: App.WriteProcessMemory(Settings.pi.ProcessHandle, num4, payload, bufferSize, ref bytesRead) |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008 |
Jump to behavior |
Source: Yara match |
File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |