Play interactive tour

Edit tour

Analysis Report Dimmock5.exe

Overview

General Information

Sample Name:	Dimmock5.exe
Analysis ID:	381541
MD5:	1f6c8e6472b60d49704703c99b28a4b8
SHA1:	1770766f6cfb51725e035b0f38f560bf03d73fae
SHA256:	e0e93e3b7866085b8384948d12a2eb613fc9eb0bc283fbbe12841a5dca11ba9f
Tags:	GuLoader
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Sigma detected: RegAsm connects to smtp port

Yara detected AgentTesla

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Hides threads from debuggers

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

Dimmock5.exe (PID: 4708 cmdline: 'C:\Users\user\Desktop\Dimmock5.exe' MD5: 1F6C8E6472B60D49704703C99B28A4B8)

RegAsm.exe (PID: 5596 cmdline: 'C:\Users\user\Desktop\Dimmock5.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "kpYtlUSCkDM", "URL: ": "http://JgAptYOPYbQxfk.net", "To: ": "", "ByHost: ": "mail.palacioguevara.com:587", "Password: ": "sUUgblUr6c", "From: ": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5596	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 5596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5596	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: RegAsm connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 54.37.255.108, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 5596, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49754

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: RegAsm.exe.5596.22.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "kpYtlUSCkDM", "URL: ": "http://JgAptYOPYbQxfk.net", "To: ": "", "ByHost: ": "mail.palacioguevara.com:587", "Password: ": "sUUgblUr6c", "From: ": ""}

Multi AV Scanner detection for submitted file

Show sources

Source: Dimmock5.exe	Virustotal: Detection: 56%	Perma Link
Source: Dimmock5.exe	Metadefender: Detection: 24%	Perma Link
Source: Dimmock5.exe	ReversingLabs: Detection: 72%

Source: Dimmock5.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: unknown

HTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.3:49741 version: TLS 1.2

Source:

Binary string: mscorrc.pdb source: RegAsm.exe, 00000016.00000002.736394339.0000000020E00000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://JgAptYOPYbQxfk.net

Source: global traffic

TCP traffic: 192.168.2.3:49754 -> 54.37.255.108:587

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

TCP traffic: 192.168.2.3:49754 -> 54.37.255.108:587

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 22_2_1DECA09A recv,

Source: unknown

DNS traffic detected: queries for: doc-14-04-docs.googleusercontent.com

Source: RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	String found in binary or memory: http://ENtKzK.com
Source: RegAsm.exe, 00000016.00000002.734926660.000000001E1A8000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	String found in binary or memory: http://JgAptYOPYbQxfk.net
Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe	String found in binary or memory: https://drive.google.com/uc?export=download&id=1bR5iuFkkMmFeiPqo3eCvIQyKbcDGCnIO
Source: RegAsm.exe, 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1bR5iuFkkMmFeiPqo3eCvIQyKbcDGCnIO8
Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443

Source: unknown

HTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.3:49741 version: TLS 1.2

Source: Dimmock5.exe, 00000000.00000002.457921405.000000000060A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\Dimmock5.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_01353325 NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1DECB0BA NtQuerySystemInformation,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1DECB089 NtQuerySystemInformation,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E9938
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2EEE08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E6310
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E7A10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E0860
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E4B70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E0CA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E2290
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E6B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E8AE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_2029EAEC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_20298320

Source: Dimmock5.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Dimmock5.exe, 00000000.00000002.457965940.00000000020A0000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs Dimmock5.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Source: Dimmock5.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1DECAF3E AdjustTokenPrivileges,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1DECAF07 AdjustTokenPrivileges,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_01

Source: Dimmock5.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Dimmock5.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Dimmock5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Dimmock5.exe	Virustotal: Detection: 56%
Source: Dimmock5.exe	Metadefender: Detection: 24%
Source: Dimmock5.exe	ReversingLabs: Detection: 72%

Source: unknown	Process created: C:\Users\user\Desktop\Dimmock5.exe 'C:\Users\user\Desktop\Dimmock5.exe'
Source: C:\Users\user\Desktop\Dimmock5.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Dimmock5.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:

Binary string: mscorrc.pdb source: RegAsm.exe, 00000016.00000002.736394339.0000000020E00000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORY

Source: C:\Users\user\Desktop\Dimmock5.exe	Code function: 0_2_00404CCD push FFFFFF83h; iretd
Source: C:\Users\user\Desktop\Dimmock5.exe	Code function: 0_2_00404D0C push ss; iretd
Source: C:\Users\user\Desktop\Dimmock5.exe	Code function: 0_2_00406126 push ss; ret
Source: C:\Users\user\Desktop\Dimmock5.exe	Code function: 0_2_00401E1C push esp; retf 0040h
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E35F0 push ebp; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_2029C6EA push esp; retf

Source: C:\Users\user\Desktop\Dimmock5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Dimmock5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Dimmock5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Dimmock5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Dimmock5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Dimmock5.exe

RDTSC instruction interceptor: First address: 000000000052193C second address: 000000000052193C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F8844813058h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e cmp ebx, 077948D8h 0x00000024 test dl, bl 0x00000026 add edi, edx 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F8844813039h 0x0000002e test edx, edx 0x00000030 push ecx 0x00000031 call 00007F8844813079h 0x00000036 call 00007F8844813068h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Function Chain: systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,memAlloc,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,memAlloc

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe, 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEF9
Source: Dimmock5.exe, 00000000.00000002.457913128.0000000000600000.00000004.00000020.sdmp	Binary or memory string: CC:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEEL
Source: RegAsm.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Dimmock5.exe	RDTSC instruction interceptor: First address: 000000000052193C second address: 000000000052193C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F8844813058h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e cmp ebx, 077948D8h 0x00000024 test dl, bl 0x00000026 add edi, edx 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F8844813039h 0x0000002e test edx, edx 0x00000030 push ecx 0x00000031 call 00007F8844813079h 0x00000036 call 00007F8844813068h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\Dimmock5.exe	RDTSC instruction interceptor: First address: 0000000000521A07 second address: 0000000000521A07 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F884475F716h 0x0000001d popad 0x0000001e cmp bx, cx 0x00000021 call 00007F884475E363h 0x00000026 lfence 0x00000029 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001351A07 second address: 0000000001351A07 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F8844814416h 0x0000001d popad 0x0000001e cmp bx, cx 0x00000021 call 00007F8844813063h 0x00000026 lfence 0x00000029 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 22_2_01351A04 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Window / User API: threadDelayed 701

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1736	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1736	Thread sleep time: -21030000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1736	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1736	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000

Source: RegAsm.exe, 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exef9
Source: RegAsm.exe, 00000016.00000002.735866714.0000000020640000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Dimmock5.exe, 00000000.00000002.457913128.0000000000600000.00000004.00000020.sdmp	Binary or memory string: cC:\Program Files\Qemu-ga\qemu-ga.exeel
Source: RegAsm.exe, 00000016.00000002.735866714.0000000020640000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 00000016.00000002.735866714.0000000020640000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000016.00000002.735866714.0000000020640000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 22_2_01351A04 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 22_2_0135219B LdrInitializeThunk,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_01353025 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_0135187E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_01352B6F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_01352943 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Source: RegAsm.exe, 00000016.00000002.729585344.0000000001C00000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000016.00000002.729585344.0000000001C00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000016.00000002.729585344.0000000001C00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000016.00000002.729585344.0000000001C00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Access Token Manipulation1	Disable or Modify Tools11	OS Credential Dumping2	Security Software Discovery631	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection2	Virtualization/Sandbox Evasion341	Input Capture1	Process Discovery2	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Access Token Manipulation1	Credentials in Registry1	Virtualization/Sandbox Evasion341	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection2	NTDS	Application Window Discovery1	Distributed Component Object Model	Data from Local System2	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol112	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Information Discovery314	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Dimmock5.exe	57%	Virustotal		Browse
Dimmock5.exe	27%	Metadefender		Browse
Dimmock5.exe	72%	ReversingLabs	Win32.Trojan.GuLoader

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
palacioguevara.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://ENtKzK.com	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://JgAptYOPYbQxfk.net	0%	Avira URL Cloud	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
palacioguevara.com	54.37.255.108	true	true	0%, Virustotal, Browse	unknown
googlehosted.l.googleusercontent.com	172.217.23.33	true	false		high
doc-14-04-docs.googleusercontent.com	unknown	unknown	false		high
mail.palacioguevara.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://JgAptYOPYbQxfk.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ENtKzK.com	RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/GTS1O1core.crl0	RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.37.255.108	palacioguevara.com	France		16276	OVHFR	true
172.217.23.33	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	381541
Start date:	03.04.2021
Start time:	21:26:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 0s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Dimmock5.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 67% (good quality ratio 41%) Quality average: 41.7% Quality standard deviation: 40%
HCA Information:	Successful, ratio: 97% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 40.88.32.150, 93.184.220.29, 168.61.161.212, 52.255.188.83, 104.43.139.144, 104.42.151.234, 184.30.24.56, 20.190.159.131, 40.126.31.140, 40.126.31.136, 40.126.31.3, 40.126.31.7, 40.126.31.9, 40.126.31.142, 40.126.31.2, 20.82.209.183, 92.122.213.247, 92.122.213.194, 20.54.26.129, 20.82.210.154, 172.217.20.238, 52.155.217.156 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, ocsp.digicert.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:29:05	API Interceptor	1029x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	document-1302325198.xls	Get hash	malicious	Browse	198.50.218.68
	document-1031166636.xls	Get hash	malicious	Browse	198.50.218.68
	document-2021014062.xls	Get hash	malicious	Browse	198.50.218.68
	document-1568991333.xls	Get hash	malicious	Browse	198.50.218.68
	document-1012037614.xls	Get hash	malicious	Browse	198.50.218.68
	document-1307680126.xls	Get hash	malicious	Browse	198.50.218.68
	document-986812161.xls	Get hash	malicious	Browse	198.50.218.68
	document-550881172.xls	Get hash	malicious	Browse	198.50.218.68
	document-1042699213.xls	Get hash	malicious	Browse	198.50.218.68
	document-1455377818.xls	Get hash	malicious	Browse	198.50.218.68
	document-980795635.xls	Get hash	malicious	Browse	198.50.218.68
	document-340500177.xls	Get hash	malicious	Browse	198.50.218.68
	document-921217151.xls	Get hash	malicious	Browse	198.50.218.68
	document-1500258943.xls	Get hash	malicious	Browse	198.50.218.68
	document-1823104059.xls	Get hash	malicious	Browse	198.50.218.68
	document-1434617389.xls	Get hash	malicious	Browse	198.50.218.68
	document-103083228.xls	Get hash	malicious	Browse	198.50.218.68
	document-1913529948.xls	Get hash	malicious	Browse	198.50.218.68
	document-758557531.xls	Get hash	malicious	Browse	198.50.218.68
	document-707357347.xls	Get hash	malicious	Browse	198.50.218.68

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	pQlSDfwyYkf.js	Get hash	malicious	Browse	172.217.23.33
	Balance payment..exe	Get hash	malicious	Browse	172.217.23.33
	pQlSDfwyYkf.js	Get hash	malicious	Browse	172.217.23.33
	document-1641473761.xls	Get hash	malicious	Browse	172.217.23.33
	ObJRDAd8jZ.exe	Get hash	malicious	Browse	172.217.23.33
	SecuriteInfo.com.Trojan.Encoder.33750.22954.exe	Get hash	malicious	Browse	172.217.23.33
	yKthoYkcfg.exe	Get hash	malicious	Browse	172.217.23.33
	Confirmation Payment Receipt.doc	Get hash	malicious	Browse	172.217.23.33
	Friday, April 2nd, 2021, 20210402062906.8CE1B73ADE2A192C@compassionarmy.com.htm	Get hash	malicious	Browse	172.217.23.33
	documents-602438418.xlsm	Get hash	malicious	Browse	172.217.23.33
	1006.xlsm	Get hash	malicious	Browse	172.217.23.33
	262.xlsm	Get hash	malicious	Browse	172.217.23.33
	1193.xlsm	Get hash	malicious	Browse	172.217.23.33
	1094.xlsm	Get hash	malicious	Browse	172.217.23.33
	1366.xlsm	Get hash	malicious	Browse	172.217.23.33
	2086.xlsm	Get hash	malicious	Browse	172.217.23.33
	1430.xlsm	Get hash	malicious	Browse	172.217.23.33
	581.xlsm	Get hash	malicious	Browse	172.217.23.33
	3324.xlsm	Get hash	malicious	Browse	172.217.23.33
	871.xlsm	Get hash	malicious	Browse	172.217.23.33

Dropped Files

No context

Created / dropped Files

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	NordVPN directory not found!..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.5051992825729466
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Dimmock5.exe
File size:	57344
MD5:	1f6c8e6472b60d49704703c99b28a4b8
SHA1:	1770766f6cfb51725e035b0f38f560bf03d73fae
SHA256:	e0e93e3b7866085b8384948d12a2eb613fc9eb0bc283fbbe12841a5dca11ba9f
SHA512:	9e7e671c36f9f7a7206e236a5932dcefdecee4781fcb105e9c7fc458e0632383b4982cf2401e0ec7dc5eafd4619b888a74ac1b06983aa1d67d9493c85f55c8db
SSDEEP:	768:5hf6jt9ZzkkIH1f6W+iitWmyQJkVWy+qaEmTqtid:5d6jtH9IHNKNWHtIt
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...~ae`.....................0....................@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x40169c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x6065617E [Thu Apr 1 06:00:30 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b983fc96c0bd34be8388eeea33042759

Entrypoint Preview

Instruction
push 00401874h
call 00007F8844ED7FB5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dh, cl
bound edi, dword ptr [esi-74DBD20Eh]
dec ebx
sahf
mov bh, D0h
mov ah, 21h
stc
push ebp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
call 00007F88A7F07B44h
imul esi, dword ptr [edx+63h], 6F766D75h
insb
jne 00007F8844ED8036h
add byte ptr [eax], cl
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add eax, 671CB2E9h
cmpsb
xchg dword ptr [ebx], edx
dec ebx
stosd
popfd
push esi
out dx, al
push ebx
movsd
jmp 00007F87E69A3C8Eh
shl ebx, 1
inc eax
dec eax
xchg eax, esi
pop eax
push ss
jmp far 4F3Ah : 9B80EEF1h
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax+00h], cl
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [esi+75h], cl
popad
outsb
arpl word ptr [ebp+72h], sp
jnc 00007F8844ED7FC2h
or eax, 47000901h
outsd
outsb
outsd
jc 00007F8844ED802Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaf14	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x9d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1ac	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa528	0xb000	False	0.537863991477	data	6.38736816411	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xc000	0x11b4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x9d8	0x1000	False	0.1806640625	data	2.12896103936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xe8a8	0x130	data
RT_ICON	0xe5c0	0x2e8	data
RT_ICON	0xe498	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xe468	0x30	data
RT_VERSION	0xe150	0x318	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaAryMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaI2Str, __vbaFPException, __vbaStrVarVal, __vbaDateVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaVar2Vec, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaLateMemCall, __vbaInStrB, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Collutions
InternalName	Dimmock5
FileVersion	1.00
CompanyName	Collutions
LegalTrademarks	Collutions
Comments	Collutions
ProductName	Collutions
ProductVersion	1.00
FileDescription	Creepy Collutions
OriginalFilename	Dimmock5.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 3, 2021 21:28:57.063009024 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.104257107 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.104377985 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.104971886 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.148574114 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.162067890 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.162125111 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.162149906 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.162163973 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.162199974 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.162213087 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.162225008 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.162273884 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.178500891 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.219722986 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.220861912 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.221852064 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.267597914 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.623802900 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.623862982 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.623898029 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.623936892 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.623975992 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.624003887 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.624044895 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.624052048 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.624057055 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.626981974 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.627096891 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.627722979 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.627768993 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.627799988 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.627825975 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.630914927 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.630968094 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.631012917 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.631051064 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.633925915 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.633970022 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.634013891 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.634205103 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.636962891 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.637058020 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.638370991 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.638412952 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.638499022 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.638520956 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.667357922 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.667468071 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.667634964 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.668855906 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.668895006 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.669025898 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.669043064 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.671967983 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.672013044 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.672055960 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.672091961 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.674973011 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.675021887 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.675065041 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.675108910 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.678006887 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.678050041 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.678093910 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.678137064 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.681075096 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.681117058 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.681170940 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.681217909 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.684149027 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.684191942 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.684227943 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.684251070 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.687216043 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.687258959 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.687311888 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.687336922 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.690288067 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.690329075 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.690386057 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.690412998 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.693048000 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.693090916 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.693126917 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.693152905 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.695774078 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.695825100 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.695856094 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.695909023 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.698532104 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.698606014 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.698622942 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.698710918 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.701239109 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.701280117 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.701330900 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.701368093 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.704010010 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.704060078 CEST	443	49741	172.217.23.33	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 3, 2021 21:26:52.658694029 CEST	53	51281	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:52.788124084 CEST	49199	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:52.850121021 CEST	53	49199	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:52.898739100 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:52.953587055 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:53.630685091 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:53.682168007 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:54.569523096 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:54.615592957 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:55.393383980 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:55.447717905 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:56.192456961 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:56.241266012 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:57.439815998 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:57.489022970 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:58.349874973 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:58.409580946 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:59.526803017 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:59.581473112 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:00.619247913 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:00.667506933 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:01.702913046 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:01.753806114 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:02.654890060 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:02.702331066 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:03.492252111 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:03.552632093 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:04.467761040 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:04.525242090 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:05.409342051 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:05.458154917 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:06.331608057 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:06.379941940 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:07.264858961 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:07.313739061 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:08.121592999 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:08.177475929 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:09.064527988 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:09.112958908 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:10.016024113 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:10.068330050 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:29.675410032 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:29.734827042 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:52.581410885 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:52.654979944 CEST	53	50540	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:52.782737970 CEST	54366	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:52.841981888 CEST	53	54366	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:56.902631044 CEST	53034	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:56.959047079 CEST	53	53034	8.8.8.8	192.168.2.3
Apr 3, 2021 21:28:05.641415119 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:28:05.711725950 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 3, 2021 21:28:18.511337042 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:28:18.580071926 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 3, 2021 21:28:33.490812063 CEST	50713	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:28:33.562118053 CEST	53	50713	8.8.8.8	192.168.2.3
Apr 3, 2021 21:28:37.936959982 CEST	56132	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:28:37.993304968 CEST	53	56132	8.8.8.8	192.168.2.3
Apr 3, 2021 21:28:56.176302910 CEST	58987	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:28:56.239506006 CEST	53	58987	8.8.8.8	192.168.2.3
Apr 3, 2021 21:28:56.981240034 CEST	56579	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:28:57.060580015 CEST	53	56579	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:10.735685110 CEST	60633	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:10.783648968 CEST	53	60633	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:12.790719032 CEST	61292	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:12.863223076 CEST	53	61292	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:46.144838095 CEST	63619	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:46.251244068 CEST	53	63619	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:46.961075068 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:47.026693106 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:47.554347038 CEST	61946	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:47.616621971 CEST	53	61946	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:48.290796041 CEST	64910	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:48.349611998 CEST	53	64910	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:49.052926064 CEST	52123	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:49.101422071 CEST	53	52123	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:49.878793955 CEST	56130	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:49.938471079 CEST	53	56130	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:50.413161993 CEST	56338	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:50.472553015 CEST	53	56338	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:51.515624046 CEST	59420	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:51.570697069 CEST	53	59420	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:52.409864902 CEST	58784	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:52.466906071 CEST	53	58784	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:52.909982920 CEST	63978	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:52.965461969 CEST	53	63978	8.8.8.8	192.168.2.3
Apr 3, 2021 21:30:28.843709946 CEST	62938	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:30:28.948357105 CEST	53	62938	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 3, 2021 21:28:56.981240034 CEST	192.168.2.3	8.8.8.8	0x8fa2	Standard query (0)	doc-14-04-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Apr 3, 2021 21:30:28.843709946 CEST	192.168.2.3	8.8.8.8	0x613a	Standard query (0)	mail.palacioguevara.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 3, 2021 21:27:52.654979944 CEST	8.8.8.8	192.168.2.3	0xe744	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Apr 3, 2021 21:28:57.060580015 CEST	8.8.8.8	192.168.2.3	0x8fa2	No error (0)	doc-14-04-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 3, 2021 21:28:57.060580015 CEST	8.8.8.8	192.168.2.3	0x8fa2	No error (0)	googlehosted.l.googleusercontent.com		172.217.23.33	A (IP address)	IN (0x0001)
Apr 3, 2021 21:30:28.948357105 CEST	8.8.8.8	192.168.2.3	0x613a	No error (0)	mail.palacioguevara.com	palacioguevara.com		CNAME (Canonical name)	IN (0x0001)
Apr 3, 2021 21:30:28.948357105 CEST	8.8.8.8	192.168.2.3	0x613a	No error (0)	palacioguevara.com		54.37.255.108	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 3, 2021 21:28:57.162213087 CEST	172.217.23.33	443	192.168.2.3	49741	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Mar 16 20:32:57 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Jun 08 21:32:56 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Apr 3, 2021 21:28:57.162213087 CEST	172.217.23.33	443	192.168.2.3	49741	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 3, 2021 21:30:29.168144941 CEST	587	49754	54.37.255.108	192.168.2.3	220-hosting.itecan.es ESMTP Exim 4.94 #2 Sat, 03 Apr 2021 21:30:29 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 3, 2021 21:30:29.168565035 CEST	49754	587	192.168.2.3	54.37.255.108	EHLO 899552
Apr 3, 2021 21:30:29.219896078 CEST	587	49754	54.37.255.108	192.168.2.3	250-hosting.itecan.es Hello 899552 [84.17.52.79] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-X_PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 3, 2021 21:30:29.221116066 CEST	49754	587	192.168.2.3	54.37.255.108	STARTTLS
Apr 3, 2021 21:30:29.275417089 CEST	587	49754	54.37.255.108	192.168.2.3	220 TLS go ahead

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Dimmock5.exe PID: 4708 Parent PID: 5740

General

Start time:	21:27:00
Start date:	03/04/2021
Path:	C:\Users\user\Desktop\Dimmock5.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Dimmock5.exe'
Imagebase:	0x400000
File size:	57344 bytes
MD5 hash:	1F6C8E6472B60D49704703C99B28A4B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: RegAsm.exe PID: 5596 Parent PID: 4708

General

Start time:	21:28:47
Start date:	03/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Dimmock5.exe'
Imagebase:	0xf80000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exe PID: 5856 Parent PID: 5596

General

Start time:	21:28:47
Start date:	03/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Dimmock5.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

SMTP Packets

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre