Loading ...

Play interactive tourEdit tour

Analysis Report Encomenda a Fornecedor n#U00ba 2177.exe

Overview

General Information

Sample Name:Encomenda a Fornecedor n#U00ba 2177.exe
Analysis ID:255474
MD5:05fbb43cc400bde8bbe2906e2d80d3a1
SHA1:3c9c83a029cec65cb1a45f60aca45ca2eec9215f
SHA256:f67337d939b7a8d33762e080856099d05b5ff3404bc285f4dd249281289f57c8

Most interesting Screenshot:

Detection

AgentTesla
Score:51
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Add file from suspicious location to autostart registry
Yara detected AgentTesla
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the startup folder
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Startup

  • System is w10x64
  • Encomenda a Fornecedor n#U00ba 2177.exe (PID: 7008 cmdline: 'C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exe' MD5: 05FBB43CC400BDE8BBE2906E2D80D3A1)
    • cmd.exe (PID: 6996 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jas /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 1836 cmdline: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jas /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • jas.exe (PID: 5784 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe' MD5: 05FBB43CC400BDE8BBE2906E2D80D3A1)
  • pcalua.exe (PID: 6156 cmdline: 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe MD5: CEB78417C510515FDE2B7AAED78063B4)
  • pcalua.exe (PID: 6340 cmdline: 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe MD5: CEB78417C510515FDE2B7AAED78063B4)
  • jas.exe (PID: 4420 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe' MD5: 05FBB43CC400BDE8BBE2906E2D80D3A1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.361139910.00000000065ED000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000003.361909600.00000000065F4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000003.358688390.00000000065A5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000003.361732649.00000000065F4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000003.358563495.0000000006582000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Add file from suspicious location to autostart registryShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jas /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe', CommandLine: 'C:\Windows\System32\cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jas /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exe' , ParentImage: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exe, ParentProcessId: 7008, ProcessCommandLine: 'C:\Windows\System32\cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jas /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe', ProcessId: 6996

            Signature Overview

            Click to jump to signature section

            Show All Signature Results
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000002.363528699.000000000106B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            .NET source code contains very large array initializationsShow sources
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, u0032pu0029DtW6u0028Fu0024/u0032mu0021Npu002bF8R5.csLarge array initialization: fZ!5~k7Sq6: array initializer size 91648
            Source: jas.exe.0.dr, u0032pu0029DtW6u0028Fu0024/u0032mu0021Npu002bF8R5.csLarge array initialization: fZ!5~k7Sq6: array initializer size 91648
            Source: 0.2.Encomenda a Fornecedor n#U00ba 2177.exe.980000.0.unpack, u0032pu0029DtW6u0028Fu0024/u0032mu0021Npu002bF8R5.csLarge array initialization: fZ!5~k7Sq6: array initializer size 91648
            Source: 0.0.Encomenda a Fornecedor n#U00ba 2177.exe.980000.0.unpack, u0032pu0029DtW6u0028Fu0024/u0032mu0021Npu002bF8R5.csLarge array initialization: fZ!5~k7Sq6: array initializer size 91648
            Source: 22.0.jas.exe.fd0000.0.unpack, u0032pu0029DtW6u0028Fu0024/u0032mu0021Npu002bF8R5.csLarge array initialization: fZ!5~k7Sq6: array initializer size 91648
            Source: 22.2.jas.exe.fd0000.0.unpack, u0032pu0029DtW6u0028Fu0024/u0032mu0021Npu002bF8R5.csLarge array initialization: fZ!5~k7Sq6: array initializer size 91648
            Source: 24.0.jas.exe.980000.0.unpack, u0032pu0029DtW6u0028Fu0024/u0032mu0021Npu002bF8R5.csLarge array initialization: fZ!5~k7Sq6: array initializer size 91648
            Source: 24.2.jas.exe.980000.0.unpack, u0032pu0029DtW6u0028Fu0024/u0032mu0021Npu002bF8R5.csLarge array initialization: fZ!5~k7Sq6: array initializer size 91648
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeCode function: 0_2_012631A80_2_012631A8
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeCode function: 0_2_012620600_2_01262060
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeCode function: 0_2_0126AD670_2_0126AD67
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeCode function: 0_2_0126AD780_2_0126AD78
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeCode function: 22_2_0185206022_2_01852060
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeCode function: 24_2_02C931A824_2_02C931A8
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeCode function: 24_2_02C9206024_2_02C92060
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000003.361139910.00000000065ED000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDbnJCCNtURazpmQSvgPUpXyWFgUcWmSYP.exem vs Encomenda a Fornecedor n#U00ba 2177.exe
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000003.340760787.0000000006A84000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenewwwwww.exeD vs Encomenda a Fornecedor n#U00ba 2177.exe
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000003.358438379.00000000066B5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDbnJCCNtURazpmQSvgPUpXyWFgUcWmSYP.exeF vs Encomenda a Fornecedor n#U00ba 2177.exe
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000002.363528699.000000000106B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Encomenda a Fornecedor n#U00ba 2177.exe
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000002.368860059.0000000006D20000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Encomenda a Fornecedor n#U00ba 2177.exe
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000002.369567653.0000000007000000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Encomenda a Fornecedor n#U00ba 2177.exe
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000002.366210099.0000000003D00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWlOsyZq.dllF vs Encomenda a Fornecedor n#U00ba 2177.exe
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000002.365042659.0000000002CF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameresourceLib.dll8 vs Encomenda a Fornecedor n#U00ba 2177.exe
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000002.365042659.0000000002CF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDbnJCCNtURazpmQSvgPUpXyWFgUcWmSYP.exe vs Encomenda a Fornecedor n#U00ba 2177.exe
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000002.366293451.0000000003D6A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDbnJCCNtURazpmQSvgPUpXyWFgUcWmSYP.exe4 vs Encomenda a Fornecedor n#U00ba 2177.exe
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000002.368644642.0000000006A20000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAddInProcess32.exeT vs Encomenda a Fornecedor n#U00ba 2177.exe
            Source: Encomenda a Fornecedor n#U00ba 2177.exeBinary or memory string: OriginalFilenamenewwwwww.exeD vs Encomenda a Fornecedor n#U00ba 2177.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jas /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe'
            Source: classification engineClassification label: mal51.troj.adwa.winEXE@11/5@0/0
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_01
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
            Source: Encomenda a Fornecedor n#U00ba 2177.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile read: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exe 'C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jas /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jas /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe'
            Source: unknownProcess created: C:\Windows\System32\pcalua.exe 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe
            Source: unknownProcess created: C:\Windows\System32\pcalua.exe 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe'
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jas /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe' Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jas /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Windows\System32\pcalua.exeAutomated click: OK
            Source: C:\Windows\System32\pcalua.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Encomenda a Fornecedor n#U00ba 2177.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Encomenda a Fornecedor n#U00ba 2177.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: AddInProcess32.pdb source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000002.368644642.0000000006A20000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
            Source: Binary string: AddInProcess32.pdbpw source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000002.368644642.0000000006A20000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeCode function: 0_2_00982B05 push esp; iretd 0_2_00982B0F
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeCode function: 0_2_00982EA8 push ebx; iretd 0_2_00982EA9
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeCode function: 0_2_00982CDA push edi; retf 0_2_00982D1A
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeCode function: 22_2_00FD2CDA push edi; retf 22_2_00FD2D1A
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeCode function: 22_2_00FD2EA8 push ebx; iretd 22_2_00FD2EA9
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeCode function: 22_2_00FD2B05 push esp; iretd 22_2_00FD2B0F
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeJump to dropped file
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

            Boot Survival:

            barindex
            Creates an autostart registry key pointing to binary in C:\WindowsShow sources
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jasJump to behavior
            Drops PE files to the startup folderShow sources
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeJump to dropped file
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe\:Zone.Identifier:$DATAJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jasJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jasJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\pcalua.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Jump to behavior
            Source: C:\Windows\System32\pcalua.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeWindow / User API: threadDelayed 875Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exe TID: 7084Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exe TID: 6808Thread sleep count: 299 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exe TID: 6808Thread sleep count: 875 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exe TID: 7036Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe TID: 4920Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe TID: 5156Thread sleep count: 183 > 30Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe TID: 928Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe TID: 6200Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe TID: 5164Thread sleep count: 181 > 30Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe TID: 3492Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000002.369567653.0000000007000000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.303401474.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: jas.exe, 00000018.00000002.418136447.0000000003CC1000.00000004.00000001.sdmpBinary or memory string: VMware, Inc.
            Source: jas.exe, 00000018.00000002.418136447.0000000003CC1000.00000004.00000001.sdmpBinary or memory string: CompanyNameVMware, Inc.2
            Source: jas.exe, 00000018.00000002.418136447.0000000003CC1000.00000004.00000001.sdmpBinary or memory string: ProductNameVMware WorkstationP
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000002.369567653.0000000007000000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.303401474.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000002.369567653.0000000007000000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.303401474.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: jas.exe, 00000018.00000002.418136447.0000000003CC1000.00000004.00000001.sdmpBinary or memory string: CommentsVMware Workstation:
            Source: jas.exe, 00000018.00000002.418136447.0000000003CC1000.00000004.00000001.sdmpBinary or memory string: VMware Workstation
            Source: Encomenda a Fornecedor n#U00ba 2177.exe, 00000000.00000002.369567653.0000000007000000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.303401474.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jas /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe' Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jas /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeQueries volume information: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Encomenda a Fornecedor n#U00ba 2177.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000000.00000003.361139910.00000000065ED000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.361909600.00000000065F4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.358688390.00000000065A5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.361732649.00000000065F4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.358563495.0000000006582000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.366293451.0000000003D6A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.358636185.0000000006592000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.366421854.0000000003E19000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.365042659.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.361417282.00000000065F4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.361617318.00000000065F4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Encomenda a Fornecedor n#U00ba 2177.exe PID: 7008, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000000.00000003.361139910.00000000065ED000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.361909600.00000000065F4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.358688390.00000000065A5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.361732649.00000000065F4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.358563495.0000000006582000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.366293451.0000000003D6A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.358636185.0000000006592000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.366421854.0000000003E19000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.365042659.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.361417282.00000000065F4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.361617318.00000000065F4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Encomenda a Fornecedor n#U00ba 2177.exe PID: 7008, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationStartup Items1Startup Items1Masquerading1Input Capture1Security Software Discovery11Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder221Process Injection11Modify Registry1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder221Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 255474 Sample: Encomenda a Fornecedor n#U0... Startdate: 01/08/2020 Architecture: WINDOWS Score: 51 29 Yara detected AgentTesla 2->29 31 Sigma detected: Add file from suspicious location to autostart registry 2->31 33 .NET source code contains very large array initializations 2->33 35 Drops PE files to the startup folder 2->35 7 Encomenda a Fornecedor n#U00ba 2177.exe 7 2->7         started        10 jas.exe 2 2->10         started        12 pcalua.exe 1 1 2->12         started        14 pcalua.exe 1 2->14         started        process3 file4 25 C:\Users\user\AppData\Roaming\...\jas.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->27 dropped 16 cmd.exe 1 7->16         started        18 jas.exe 3 7->18         started        process5 process6 20 reg.exe 1 1 16->20         started        23 conhost.exe 16->23         started        signatures7 37 Creates an autostart registry key pointing to binary in C:\Windows 20->37

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.