Loading ...

Play interactive tourEdit tour

Analysis Report ddff.exe

Overview

General Information

Sample Name:ddff.exe
Analysis ID:382651
MD5:ded56210e4491797f704b4b0525238d8
SHA1:7a1ca12b56aee84bab41abb6cd4b6eb50a64ef21
SHA256:422287b67dd187c3fae4472cdf654ef69354ab78ac094dee6711874c9e59f1f4
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • ddff.exe (PID: 5444 cmdline: 'C:\Users\user\Desktop\ddff.exe' MD5: DED56210E4491797F704B4B0525238D8)
    • RegAsm.exe (PID: 3924 cmdline: 'C:\Users\user\Desktop\ddff.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 5528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "edeiF78", "URL: ": "https://t8vI5nXseaUv.com", "To: ": "sanetbehin.co@gmail.com", "ByHost: ": "mail.gcclatinoamerica.com:587", "Password: ": "6VomwXsWgiEV7", "From: ": "jobs@gcclatinoamerica.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.847807886.0000000000F02000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 3924JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 3924JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 108.179.235.108, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 3924, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49751

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: RegAsm.exe.3924.19.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "edeiF78", "URL: ": "https://t8vI5nXseaUv.com", "To: ": "sanetbehin.co@gmail.com", "ByHost: ": "mail.gcclatinoamerica.com:587", "Password: ": "6VomwXsWgiEV7", "From: ": "jobs@gcclatinoamerica.com"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: ddff.exeVirustotal: Detection: 15%Perma Link
            Machine Learning detection for sampleShow sources
            Source: ddff.exeJoe Sandbox ML: detected
            Source: ddff.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.3:49733 version: TLS 1.2

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://t8vI5nXseaUv.com
            Source: global trafficTCP traffic: 192.168.2.3:49751 -> 108.179.235.108:587
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficTCP traffic: 192.168.2.3:49751 -> 108.179.235.108:587
            Source: unknownDNS traffic detected: queries for: doc-0k-1c-docs.googleusercontent.com
            Source: RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpString found in binary or memory: http://ChSulR.com
            Source: RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpString found in binary or memory: http://mail.gcclatinoamerica.com
            Source: RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
            Source: RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
            Source: RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
            Source: RegAsm.exe, 00000013.00000002.850646188.00000000013AE000.00000004.00000020.sdmpString found in binary or memory: https://doc-0k-1c-docs.googleusercontent.com/
            Source: RegAsm.exe, 00000013.00000002.850763791.00000000013CC000.00000004.00000020.sdmpString found in binary or memory: https://doc-0k-1c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/55mju4ru
            Source: RegAsm.exe, 00000013.00000002.850646188.00000000013AE000.00000004.00000020.sdmpString found in binary or memory: https://doc-0k-1c-docs.googleusercontent.com/su
            Source: RegAsm.exe, 00000013.00000002.850301803.000000000136B000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
            Source: RegAsm.exe, 00000013.00000002.850301803.000000000136B000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/=:
            Source: RegAsm.exe, RegAsm.exe, 00000013.00000002.850301803.000000000136B000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1kid0owgaMCzRLqlPjIt2boGIIgOTgmca
            Source: RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
            Source: RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.857439462.000000001DF7D000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.857541790.000000001DFA6000.00000004.00000001.sdmpString found in binary or memory: https://t8vI5nXseaUv.com
            Source: RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownHTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.3:49733 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Installs a global keyboard hookShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00414594 OpenClipboard,
            Source: ddff.exe, 00000000.00000002.408563933.00000000006E8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASS

            System Summary:

            barindex
            Source: C:\Users\user\Desktop\ddff.exeProcess Stats: CPU usage > 98%
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08809 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F082D9 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F088F4 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F088C6 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F0889E NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08875 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08C7F NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08C54 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F0884D NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08824 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F089CC NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F089A7 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08979 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08D6E NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08951 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08922 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08D2C NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08D04 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08AE3 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F082D7 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08ABE NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08A89 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08A61 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08A35 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08A05 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08BDE NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08B9F NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08B77 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08B4B NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F08B14 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004064CA
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_0040729D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F0433E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_01256878
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_01255B18
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_0128A9E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_01287B98
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_012847F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_01280DB0
            Source: ddff.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ddff.exe, 00000000.00000002.409248775.0000000002A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenyanlgg.exeFE2X vs ddff.exe
            Source: ddff.exe, 00000000.00000002.409248775.0000000002A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenyanlgg.exeFE2XN vs ddff.exe
            Source: ddff.exe, 00000000.00000002.409248775.0000000002A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenyanlgg.exeFE2X) vs ddff.exe
            Source: ddff.exe, 00000000.00000002.409248775.0000000002A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenyanlgg.exeFE2XM vs ddff.exe
            Source: ddff.exe, 00000000.00000002.409248775.0000000002A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenyanlgg.exeFE2X$ vs ddff.exe
            Source: ddff.exe, 00000000.00000002.409248775.0000000002A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs ddff.exe
            Source: ddff.exe, 00000000.00000000.195030837.0000000000419000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenyanlgg.exe vs ddff.exe
            Source: ddff.exeBinary or memory string: OriginalFilenamenyanlgg.exe vs ddff.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: ddff.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\ifg4v0bb.jflJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_01
            Source: C:\Users\user\Desktop\ddff.exeFile created: C:\Users\user\AppData\Local\Temp\~DFD9AA5F3A51F7B645.TMPJump to behavior
            Source: ddff.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\ddff.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\ddff.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: ddff.exeVirustotal: Detection: 15%
            Source: unknownProcess created: C:\Users\user\Desktop\ddff.exe 'C:\Users\user\Desktop\ddff.exe'
            Source: C:\Users\user\Desktop\ddff.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\ddff.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000013.00000002.847807886.0000000000F02000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3924, type: MEMORY
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00404E47 pushfd ; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00404048 pushfd ; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00406401 push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00406404 push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00406407 push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_0040640A push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_0040640D push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00406410 push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_0040903C push ss; retf
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004020CD pushfd ; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00402EE9 push dword ptr [edi-4B012F33h]; retf
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004020FD pushfd ; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_0040336B push fs; ret
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00402301 pushfd ; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00405F05 push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00405F05 push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063C8 push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063CB push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063CE push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063D1 push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063D4 push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063D7 push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_00402BD8 pushfd ; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063DA push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063DD push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063E0 push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063E3 push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063E6 push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063E9 push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063EC push ecx; iretd
            Source: C:\Users\user\Desktop\ddff.exeCode function: 0_2_004063EF push ecx; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\Desktop\ddff.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ddff.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ddff.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ddff.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ddff.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ddff.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\ddff.exeRDTSC instruction interceptor: First address: 0000000000523AE6 second address: 0000000000523AE6 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6C0094A148h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007F6C0094A131h 0x00000026 cmp ch, dh 0x00000028 push ecx 0x00000029 call 00007F6C0094A1ADh 0x0000002e call 00007F6C0094A158h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
            Source: C:\Users\user\Desktop\ddff.exeRDTSC instruction interceptor: First address: 000000000052367A second address: 000000000052367A instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F02016 second address: 0000000000F02016 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F02162 second address: 0000000000F02162 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F022F8 second address: 0000000000F022F8 instructions:
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Tries to detect Any.runShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\qga\qga.exe
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: ddff.exe, 00000000.00000002.408563933.00000000006E8000.00000004.00000020.sdmp, RegAsm.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\ddff.exeRDTSC instruction interceptor: First address: 0000000000523AE6 second address: 0000000000523AE6 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6C0094A148h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007F6C0094A131h 0x00000026 cmp ch, dh 0x00000028 push ecx 0x00000029 call 00007F6C0094A1ADh 0x0000002e call 00007F6C0094A158h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
            Source: C:\Users\user\Desktop\ddff.exeRDTSC instruction interceptor: First address: 0000000000523DA0 second address: 0000000000523DA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F6C0094E494h 0x0000001d popad 0x0000001e call 00007F6C0094ACCFh 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\ddff.exeRDTSC instruction interceptor: First address: 000000000052367A second address: 000000000052367A instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F03DA0 second address: 0000000000F03DA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F6C0094E494h 0x0000001d popad 0x0000001e call 00007F6C0094ACCFh 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F02016 second address: 0000000000F02016 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F02162 second address: 0000000000F02162 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F022F8 second address: 0000000000F022F8 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F034E3 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9499
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5848Thread sleep time: -13835058055282155s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
            Source: RegAsm.exe, 00000013.00000002.850301803.000000000136B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWX
            Source: RegAsm.exe, 00000013.00000002.858637359.0000000020720000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: RegAsm.exe, 00000013.00000002.850646188.00000000013AE000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: RegAsm.exe, 00000013.00000002.858637359.0000000020720000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: ddff.exe, 00000000.00000002.408563933.00000000006E8000.00000004.00000020.sdmp, RegAsm.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: RegAsm.exe, 00000013.00000002.858637359.0000000020720000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: RegAsm.exe, 00000013.00000002.858637359.0000000020720000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformation

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F034E3 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_01250A70 KiUserExceptionDispatcher,LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F038BB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F07C85 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F07C33 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F07C38 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F061D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 19_2_00F06B79 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guard
            Source: RegAsm.exe, 00000013.00000002.851150921.00000000017F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: RegAsm.exe, 00000013.00000002.851150921.00000000017F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: RegAsm.exe, 00000013.00000002.851150921.00000000017F0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: RegAsm.exe, 00000013.00000002.851150921.00000000017F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\ddff.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\ddff.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\ddff.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3924, type: MEMORY
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Tries to harvest and steal ftp login credentialsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: Yara matchFile source: 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3924, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3924, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211DLL Side-Loading1Process Injection2Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1Input Capture111Security Software Discovery631Remote Desktop ProtocolInput Capture111Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion341Credentials in Registry1Process Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection2NTDSVirtualization/Sandbox Evasion341Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol112SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsApplication Window Discovery1SSHClipboard Data2Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery313Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            ddff.exe16%VirustotalBrowse
            ddff.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            mail.gcclatinoamerica.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            http://ChSulR.com0%Avira URL Cloudsafe
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
            https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
            https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
            https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
            http://mail.gcclatinoamerica.com0%VirustotalBrowse
            http://mail.gcclatinoamerica.com0%Avira URL Cloudsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://api.ipify.org%0%URL Reputationsafe
            https://api.ipify.org%0%URL Reputationsafe
            https://api.ipify.org%0%URL Reputationsafe
            https://api.ipify.org%0%URL Reputationsafe
            https://t8vI5nXseaUv.com0%Avira URL Cloudsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            http://r3.i.lencr.org/00%URL Reputationsafe
            http://r3.i.lencr.org/00%URL Reputationsafe
            http://r3.i.lencr.org/00%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            mail.gcclatinoamerica.com
            108.179.235.108
            truetrueunknown
            googlehosted.l.googleusercontent.com
            172.217.23.33
            truefalse
              high
              doc-0k-1c-docs.googleusercontent.com
              unknown
              unknownfalse
                high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://t8vI5nXseaUv.comtrue
                • Avira URL Cloud: safe
                unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://DynDns.comDynDNSRegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://doc-0k-1c-docs.googleusercontent.com/suRegAsm.exe, 00000013.00000002.850646188.00000000013AE000.00000004.00000020.sdmpfalse
                  high
                  http://cps.letsencrypt.org0RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://doc-0k-1c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/55mju4ruRegAsm.exe, 00000013.00000002.850763791.00000000013CC000.00000004.00000020.sdmpfalse
                    high
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://ChSulR.comRegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://crl.pki.goog/GTS1O1core.crl0RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://r3.o.lencr.org0RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://api.ipify.org%GETMozilla/5.0RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    low
                    http://pki.goog/gsr2/GTS1O1.crt0RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://mail.gcclatinoamerica.comRegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    http://crl.pki.goog/gsr2/gsr2.crl0?RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://pki.goog/repository/0RegAsm.exe, 00000013.00000002.850882210.00000000013F0000.00000004.00000020.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://api.ipify.org%RegAsm.exe, 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    low
                    http://cps.root-x1.letsencrypt.org0RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://r3.i.lencr.org/0RegAsm.exe, 00000013.00000002.857466252.000000001DF85000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://doc-0k-1c-docs.googleusercontent.com/RegAsm.exe, 00000013.00000002.850646188.00000000013AE000.00000004.00000020.sdmpfalse
                      high

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      172.217.23.33
                      googlehosted.l.googleusercontent.comUnited States
                      15169GOOGLEUSfalse
                      108.179.235.108
                      mail.gcclatinoamerica.comUnited States
                      46606UNIFIEDLAYER-AS-1UStrue

                      General Information

                      Joe Sandbox Version:31.0.0 Emerald
                      Analysis ID:382651
                      Start date:06.04.2021
                      Start time:12:37:48
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 10m 25s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:ddff.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:40
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@3/2@2/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 6.1% (good quality ratio 4.3%)
                      • Quality average: 50.6%
                      • Quality standard deviation: 35.9%
                      HCA Information:
                      • Successful, ratio: 91%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .exe
                      Warnings:
                      Show All
                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                      • TCP Packets have been reduced to 100
                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                      • Excluded IPs from analysis (whitelisted): 40.88.32.150, 184.30.21.219, 92.122.145.220, 13.88.21.125, 13.64.90.137, 168.61.161.212, 184.30.20.56, 2.20.142.210, 2.20.142.209, 20.82.209.183, 104.43.193.48, 52.147.198.201, 92.122.213.247, 92.122.213.194, 20.54.26.129, 172.217.20.238, 20.82.210.154, 52.155.217.156, 20.190.160.9, 20.190.160.7, 20.190.160.74, 20.190.160.135, 20.190.160.3, 20.190.160.1, 20.190.160.70, 20.190.160.72, 20.44.239.154, 40.74.108.123, 40.127.240.158
                      • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, a767.dscg3.akamai.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, settingsfd-geo.trafficmanager.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      12:40:20API Interceptor1305x Sleep call for process: RegAsm.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      UNIFIEDLAYER-AS-1USPowerShell_Input.ps1Get hashmaliciousBrowse
                      • 162.241.61.203
                      New PO#700-20-HDO410444RF217,pdf.exeGet hashmaliciousBrowse
                      • 192.185.122.118
                      Purchase Order.9000.scan.pdf...exeGet hashmaliciousBrowse
                      • 162.241.148.243
                      document-1848152474.xlsmGet hashmaliciousBrowse
                      • 192.185.48.186
                      7z7Q51Y8Xd.dllGet hashmaliciousBrowse
                      • 162.241.54.59
                      pySsaGoiCT.dllGet hashmaliciousBrowse
                      • 162.241.54.59
                      QOpv1PykFc.dllGet hashmaliciousBrowse
                      • 162.241.54.59
                      S4caD0RhXL.dllGet hashmaliciousBrowse
                      • 162.241.54.59
                      pH8YW11W1x.dllGet hashmaliciousBrowse
                      • 162.241.54.59
                      7z7Q51Y8Xd.dllGet hashmaliciousBrowse
                      • 162.241.54.59
                      pySsaGoiCT.dllGet hashmaliciousBrowse
                      • 162.241.54.59
                      QOpv1PykFc.dllGet hashmaliciousBrowse
                      • 162.241.54.59
                      S4caD0RhXL.dllGet hashmaliciousBrowse
                      • 162.241.54.59
                      pH8YW11W1x.dllGet hashmaliciousBrowse
                      • 162.241.54.59
                      CI-2100403L.exeGet hashmaliciousBrowse
                      • 192.254.180.165
                      wrtKaH8g28.dllGet hashmaliciousBrowse
                      • 162.241.54.59
                      Ip6jHpq61F.dllGet hashmaliciousBrowse
                      • 162.241.54.59
                      y7GBATGcnw.dllGet hashmaliciousBrowse
                      • 162.241.54.59
                      wrtKaH8g28.dllGet hashmaliciousBrowse
                      • 162.241.54.59
                      Ip6jHpq61F.dllGet hashmaliciousBrowse
                      • 162.241.54.59

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      37f463bf4616ecd445d4a1937da06e19Doc_58YJ54-521DERG701-55YH701.exeGet hashmaliciousBrowse
                      • 172.217.23.33
                      1e#U0414.exeGet hashmaliciousBrowse
                      • 172.217.23.33
                      svhost.exeGet hashmaliciousBrowse
                      • 172.217.23.33
                      beaconxx.exeGet hashmaliciousBrowse
                      • 172.217.23.33
                      _VmailMessage_Wave19922626.htmlGet hashmaliciousBrowse
                      • 172.217.23.33
                      5H957qLghX.exeGet hashmaliciousBrowse
                      • 172.217.23.33
                      FK58.vbsGet hashmaliciousBrowse
                      • 172.217.23.33
                      ZgaBWrz3HH.exeGet hashmaliciousBrowse
                      • 172.217.23.33
                      RFQ#8086A_461A_0000086_300_3550_2021.exeGet hashmaliciousBrowse
                      • 172.217.23.33
                      wzdu53.exeGet hashmaliciousBrowse
                      • 172.217.23.33
                      Opik_lk.exeGet hashmaliciousBrowse
                      • 172.217.23.33
                      document-895003104.xlsGet hashmaliciousBrowse
                      • 172.217.23.33
                      Dimmock5.exeGet hashmaliciousBrowse
                      • 172.217.23.33
                      pQlSDfwyYkf.jsGet hashmaliciousBrowse
                      • 172.217.23.33
                      Balance payment..exeGet hashmaliciousBrowse
                      • 172.217.23.33
                      pQlSDfwyYkf.jsGet hashmaliciousBrowse
                      • 172.217.23.33
                      document-1641473761.xlsGet hashmaliciousBrowse
                      • 172.217.23.33
                      ObJRDAd8jZ.exeGet hashmaliciousBrowse
                      • 172.217.23.33
                      SecuriteInfo.com.Trojan.Encoder.33750.22954.exeGet hashmaliciousBrowse
                      • 172.217.23.33
                      yKthoYkcfg.exeGet hashmaliciousBrowse
                      • 172.217.23.33

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Roaming\ifg4v0bb.jfl\Chrome\Default\Cookies
                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3032001
                      Category:modified
                      Size (bytes):20480
                      Entropy (8bit):0.6970840431455908
                      Encrypted:false
                      SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                      MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                      SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                      SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                      SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      \Device\ConDrv
                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):30
                      Entropy (8bit):3.964735178725505
                      Encrypted:false
                      SSDEEP:3:IBVFBWAGRHneyy:ITqAGRHner
                      MD5:9F754B47B351EF0FC32527B541420595
                      SHA1:006C66220B33E98C725B73495FE97B3291CE14D9
                      SHA-256:0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
                      SHA-512:C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview: NordVPN directory not found!..

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):5.729364262794313
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.15%
                      • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:ddff.exe
                      File size:122880
                      MD5:ded56210e4491797f704b4b0525238d8
                      SHA1:7a1ca12b56aee84bab41abb6cd4b6eb50a64ef21
                      SHA256:422287b67dd187c3fae4472cdf654ef69354ab78ac094dee6711874c9e59f1f4
                      SHA512:a5e2399e1b18ac416036658db449c2c77e30a31242d2c827870022989ff5b5cff6cf183b5e04b1a20be72ad615782b8f43975cd42c27d1b961745ee70e6fef3b
                      SSDEEP:1536:FGouBWGIDtxQCg53OuHKuSx2ig9TWb1yihGo:FGZBWG+tebq3x2nCb1yihG
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L...>..T.................p...`......(.............@................

                      File Icon

                      Icon Hash:0ccea09899191898

                      Static PE Info

                      General

                      Entrypoint:0x401328
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      DLL Characteristics:
                      Time Stamp:0x54DD953E [Fri Feb 13 06:10:06 2015 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:efa774b90ad6b9ab8c4fabb031ebe78d

                      Entrypoint Preview

                      Instruction
                      push 00413DF0h
                      call 00007F6C00804D35h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xor byte ptr [eax], al
                      add byte ptr [eax], al
                      cmp byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add al, BBh
                      sub al, 88h
                      mov ebx, DB9B42F0h
                      xchg eax, esp
                      imul edi, dword ptr [eax+001FFE45h], 00h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add dword ptr [eax], eax
                      add byte ptr [eax], al
                      inc ecx
                      add byte ptr [esi+4D018250h], al
                      inc ecx
                      dec ecx
                      inc esp
                      inc ebp
                      dec esi
                      add byte ptr [ebx], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      dec esp
                      xor dword ptr [eax], eax
                      sub byte ptr [ecx], dh
                      js 00007F6C00804D41h
                      das
                      movsd
                      pop ss
                      into
                      dec edi

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x175f40x28.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x4856.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                      IMAGE_DIRECTORY_ENTRY_IAT0x10000xd4.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x169e40x17000False0.347486413043data6.18979858125IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .data0x180000xa880x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .rsrc0x190000x48560x5000False0.414111328125data4.36025980168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_ICON0x1b2ae0x25a8data
                      RT_ICON0x1a2060x10a8data
                      RT_ICON0x1987e0x988data
                      RT_ICON0x194160x468GLS_BINARY_LSB_FIRST
                      RT_GROUP_ICON0x193d80x3edata
                      RT_VERSION0x191800x258dataEnglishUnited States

                      Imports

                      DLLImport
                      MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaVarForInit, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, __vbaVarForNext, _CIexp, __vbaFreeStr, __vbaFreeObj

                      Version Infos

                      DescriptionData
                      Translation0x0409 0x04b0
                      InternalNamenyanlgg
                      FileVersion3.00
                      CompanyNameSalty
                      CommentsSalty
                      ProductNameSalty
                      ProductVersion3.00
                      FileDescriptionSalty
                      OriginalFilenamenyanlgg.exe

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Apr 6, 2021 12:40:10.254446983 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.295238018 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.295432091 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.296657085 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.337526083 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.351098061 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.351195097 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.351248980 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.351259947 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.351289988 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.351295948 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.351300001 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.351363897 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.364321947 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.405380011 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.405553102 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.406564951 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.451906919 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.651345015 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.651422977 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.651462078 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.651473999 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.651499033 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.651524067 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.651539087 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.651582956 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.651583910 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.651643038 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.654021025 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.654078960 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.654099941 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.654149055 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.656913996 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.656971931 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.656991959 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.657046080 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.659732103 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.659790039 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.659805059 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.659856081 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.662596941 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.662646055 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.662668943 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.662710905 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.664926052 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.664979935 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.665019989 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.665044069 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.692289114 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.692349911 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.692431927 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.692480087 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.693635941 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.693692923 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.693773985 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.693820000 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.696532965 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.696590900 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.696675062 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.696719885 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.699392080 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.699450970 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.699522018 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.699567080 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.702272892 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.702332020 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.702398062 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.702445030 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.705205917 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.705260992 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.705332041 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.705378056 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.707999945 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.708055973 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.708143950 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.708189964 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.710887909 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.710947037 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.710975885 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.711003065 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.713692904 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.713759899 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.713761091 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.713937998 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.716240883 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.716296911 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.716316938 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.716358900 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.718739033 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.718800068 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.718806982 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.718856096 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.721297979 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.721350908 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.721368074 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.721409082 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.723886013 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.723939896 CEST44349733172.217.23.33192.168.2.3
                      Apr 6, 2021 12:40:10.723957062 CEST49733443192.168.2.3172.217.23.33
                      Apr 6, 2021 12:40:10.724001884 CEST49733443192.168.2.3172.217.23.33

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Apr 6, 2021 12:38:26.490256071 CEST5128153192.168.2.38.8.8.8
                      Apr 6, 2021 12:38:26.549189091 CEST53512818.8.8.8192.168.2.3
                      Apr 6, 2021 12:38:27.416503906 CEST4919953192.168.2.38.8.8.8
                      Apr 6, 2021 12:38:27.480247021 CEST53491998.8.8.8192.168.2.3
                      Apr 6, 2021 12:38:28.519505024 CEST5062053192.168.2.38.8.8.8
                      Apr 6, 2021 12:38:28.575723886 CEST53506208.8.8.8192.168.2.3
                      Apr 6, 2021 12:38:29.014059067 CEST6493853192.168.2.38.8.8.8
                      Apr 6, 2021 12:38:29.072041035 CEST53649388.8.8.8192.168.2.3
                      Apr 6, 2021 12:38:30.183959961 CEST6015253192.168.2.38.8.8.8
                      Apr 6, 2021 12:38:30.229957104 CEST53601528.8.8.8192.168.2.3
                      Apr 6, 2021 12:38:31.505867958 CEST5754453192.168.2.38.8.8.8
                      Apr 6, 2021 12:38:31.552011967 CEST53575448.8.8.8192.168.2.3
                      Apr 6, 2021 12:38:52.675306082 CEST5598453192.168.2.38.8.8.8
                      Apr 6, 2021 12:38:52.724174976 CEST53559848.8.8.8192.168.2.3
                      Apr 6, 2021 12:38:53.792023897 CEST6418553192.168.2.38.8.8.8
                      Apr 6, 2021 12:38:53.837938070 CEST53641858.8.8.8192.168.2.3
                      Apr 6, 2021 12:38:55.091465950 CEST6511053192.168.2.38.8.8.8
                      Apr 6, 2021 12:38:55.137310028 CEST53651108.8.8.8192.168.2.3
                      Apr 6, 2021 12:38:56.338965893 CEST5836153192.168.2.38.8.8.8
                      Apr 6, 2021 12:38:56.385159969 CEST53583618.8.8.8192.168.2.3
                      Apr 6, 2021 12:39:05.734342098 CEST6349253192.168.2.38.8.8.8
                      Apr 6, 2021 12:39:05.807686090 CEST53634928.8.8.8192.168.2.3
                      Apr 6, 2021 12:39:21.900122881 CEST6083153192.168.2.38.8.8.8
                      Apr 6, 2021 12:39:21.959518909 CEST53608318.8.8.8192.168.2.3
                      Apr 6, 2021 12:39:24.274601936 CEST6010053192.168.2.38.8.8.8
                      Apr 6, 2021 12:39:24.320872068 CEST53601008.8.8.8192.168.2.3
                      Apr 6, 2021 12:39:26.891315937 CEST5319553192.168.2.38.8.8.8
                      Apr 6, 2021 12:39:26.940251112 CEST53531958.8.8.8192.168.2.3
                      Apr 6, 2021 12:39:28.500572920 CEST5014153192.168.2.38.8.8.8
                      Apr 6, 2021 12:39:28.549417973 CEST53501418.8.8.8192.168.2.3
                      Apr 6, 2021 12:39:30.388962030 CEST5302353192.168.2.38.8.8.8
                      Apr 6, 2021 12:39:30.438782930 CEST53530238.8.8.8192.168.2.3
                      Apr 6, 2021 12:39:31.387197018 CEST4956353192.168.2.38.8.8.8
                      Apr 6, 2021 12:39:31.433409929 CEST53495638.8.8.8192.168.2.3
                      Apr 6, 2021 12:39:32.174664021 CEST5135253192.168.2.38.8.8.8
                      Apr 6, 2021 12:39:32.223575115 CEST53513528.8.8.8192.168.2.3
                      Apr 6, 2021 12:39:35.404690981 CEST5934953192.168.2.38.8.8.8
                      Apr 6, 2021 12:39:35.452562094 CEST53593498.8.8.8192.168.2.3
                      Apr 6, 2021 12:39:36.924537897 CEST5708453192.168.2.38.8.8.8
                      Apr 6, 2021 12:39:36.971714020 CEST53570848.8.8.8192.168.2.3
                      Apr 6, 2021 12:39:37.874058008 CEST5882353192.168.2.38.8.8.8
                      Apr 6, 2021 12:39:37.922924042 CEST53588238.8.8.8192.168.2.3
                      Apr 6, 2021 12:39:39.459230900 CEST5756853192.168.2.38.8.8.8
                      Apr 6, 2021 12:39:39.515553951 CEST53575688.8.8.8192.168.2.3
                      Apr 6, 2021 12:39:40.542083979 CEST5054053192.168.2.38.8.8.8
                      Apr 6, 2021 12:39:40.588284016 CEST53505408.8.8.8192.168.2.3
                      Apr 6, 2021 12:39:41.355058908 CEST5436653192.168.2.38.8.8.8
                      Apr 6, 2021 12:39:41.403889894 CEST53543668.8.8.8192.168.2.3
                      Apr 6, 2021 12:39:52.314244986 CEST5303453192.168.2.38.8.8.8
                      Apr 6, 2021 12:39:52.384251118 CEST53530348.8.8.8192.168.2.3
                      Apr 6, 2021 12:40:07.986004114 CEST5776253192.168.2.38.8.8.8
                      Apr 6, 2021 12:40:08.048541069 CEST53577628.8.8.8192.168.2.3
                      Apr 6, 2021 12:40:08.731096983 CEST5543553192.168.2.38.8.8.8
                      Apr 6, 2021 12:40:08.776892900 CEST53554358.8.8.8192.168.2.3
                      Apr 6, 2021 12:40:10.189623117 CEST5071353192.168.2.38.8.8.8
                      Apr 6, 2021 12:40:10.252120018 CEST53507138.8.8.8192.168.2.3
                      Apr 6, 2021 12:40:13.892976999 CEST5613253192.168.2.38.8.8.8
                      Apr 6, 2021 12:40:13.947936058 CEST53561328.8.8.8192.168.2.3
                      Apr 6, 2021 12:40:44.937808990 CEST5898753192.168.2.38.8.8.8
                      Apr 6, 2021 12:40:44.993721008 CEST53589878.8.8.8192.168.2.3
                      Apr 6, 2021 12:40:46.527230978 CEST5657953192.168.2.38.8.8.8
                      Apr 6, 2021 12:40:46.573290110 CEST53565798.8.8.8192.168.2.3
                      Apr 6, 2021 12:41:21.843970060 CEST6063353192.168.2.38.8.8.8
                      Apr 6, 2021 12:41:21.927680969 CEST53606338.8.8.8192.168.2.3
                      Apr 6, 2021 12:41:22.512407064 CEST6129253192.168.2.38.8.8.8
                      Apr 6, 2021 12:41:22.567893028 CEST53612928.8.8.8192.168.2.3
                      Apr 6, 2021 12:41:22.960082054 CEST6361953192.168.2.38.8.8.8
                      Apr 6, 2021 12:41:23.318380117 CEST53636198.8.8.8192.168.2.3
                      Apr 6, 2021 12:41:23.886065960 CEST6493853192.168.2.38.8.8.8
                      Apr 6, 2021 12:41:23.943433046 CEST53649388.8.8.8192.168.2.3
                      Apr 6, 2021 12:41:24.556430101 CEST6194653192.168.2.38.8.8.8
                      Apr 6, 2021 12:41:24.612591982 CEST53619468.8.8.8192.168.2.3
                      Apr 6, 2021 12:41:25.342679977 CEST6491053192.168.2.38.8.8.8
                      Apr 6, 2021 12:41:25.415327072 CEST53649108.8.8.8192.168.2.3
                      Apr 6, 2021 12:41:25.958585024 CEST5212353192.168.2.38.8.8.8
                      Apr 6, 2021 12:41:26.018208027 CEST53521238.8.8.8192.168.2.3
                      Apr 6, 2021 12:41:26.713805914 CEST5613053192.168.2.38.8.8.8
                      Apr 6, 2021 12:41:26.771321058 CEST53561308.8.8.8192.168.2.3
                      Apr 6, 2021 12:41:27.935620070 CEST5633853192.168.2.38.8.8.8
                      Apr 6, 2021 12:41:27.990155935 CEST53563388.8.8.8192.168.2.3
                      Apr 6, 2021 12:41:28.673451900 CEST5942053192.168.2.38.8.8.8
                      Apr 6, 2021 12:41:28.719708920 CEST53594208.8.8.8192.168.2.3
                      Apr 6, 2021 12:41:45.341291904 CEST5878453192.168.2.38.8.8.8
                      Apr 6, 2021 12:41:45.547538042 CEST53587848.8.8.8192.168.2.3
                      Apr 6, 2021 12:43:18.767577887 CEST6397853192.168.2.38.8.8.8
                      Apr 6, 2021 12:43:18.822230101 CEST53639788.8.8.8192.168.2.3
                      Apr 6, 2021 12:43:19.421952963 CEST6293853192.168.2.38.8.8.8
                      Apr 6, 2021 12:43:19.486018896 CEST53629388.8.8.8192.168.2.3
                      Apr 6, 2021 12:43:23.231192112 CEST5570853192.168.2.38.8.8.8
                      Apr 6, 2021 12:43:23.285566092 CEST53557088.8.8.8192.168.2.3
                      Apr 6, 2021 12:43:29.205905914 CEST5680353192.168.2.38.8.8.8
                      Apr 6, 2021 12:43:29.276460886 CEST53568038.8.8.8192.168.2.3
                      Apr 6, 2021 12:43:30.403588057 CEST5714553192.168.2.38.8.8.8
                      Apr 6, 2021 12:43:30.471645117 CEST53571458.8.8.8192.168.2.3

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                      Apr 6, 2021 12:40:10.189623117 CEST192.168.2.38.8.8.80xf3bStandard query (0)doc-0k-1c-docs.googleusercontent.comA (IP address)IN (0x0001)
                      Apr 6, 2021 12:41:45.341291904 CEST192.168.2.38.8.8.80x53fdStandard query (0)mail.gcclatinoamerica.comA (IP address)IN (0x0001)

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                      Apr 6, 2021 12:40:10.252120018 CEST8.8.8.8192.168.2.30xf3bNo error (0)doc-0k-1c-docs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                      Apr 6, 2021 12:40:10.252120018 CEST8.8.8.8192.168.2.30xf3bNo error (0)googlehosted.l.googleusercontent.com172.217.23.33A (IP address)IN (0x0001)
                      Apr 6, 2021 12:41:45.547538042 CEST8.8.8.8192.168.2.30x53fdNo error (0)mail.gcclatinoamerica.com108.179.235.108A (IP address)IN (0x0001)
                      Apr 6, 2021 12:43:18.822230101 CEST8.8.8.8192.168.2.30x572cNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)

                      HTTPS Packets

                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                      Apr 6, 2021 12:40:10.351300001 CEST172.217.23.33443192.168.2.349733CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Mar 16 20:32:57 CET 2021 Thu Jun 15 02:00:42 CEST 2017Tue Jun 08 21:32:56 CEST 2021 Wed Dec 15 01:00:42 CET 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                      CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021

                      SMTP Packets

                      TimestampSource PortDest PortSource IPDest IPCommands
                      Apr 6, 2021 12:41:46.038834095 CEST58749751108.179.235.108192.168.2.3220-gator4253.hostgator.com ESMTP Exim 4.93 #2 Tue, 06 Apr 2021 05:41:45 -0500
                      220-We do not authorize the use of this system to transport unsolicited,
                      220 and/or bulk e-mail.
                      Apr 6, 2021 12:41:46.039329052 CEST49751587192.168.2.3108.179.235.108EHLO 760639
                      Apr 6, 2021 12:41:46.195832014 CEST58749751108.179.235.108192.168.2.3250-gator4253.hostgator.com Hello 760639 [84.17.52.79]
                      250-SIZE 52428800
                      250-8BITMIME
                      250-PIPELINING
                      250-AUTH PLAIN LOGIN
                      250-STARTTLS
                      250 HELP
                      Apr 6, 2021 12:41:46.196239948 CEST49751587192.168.2.3108.179.235.108STARTTLS
                      Apr 6, 2021 12:41:46.355518103 CEST58749751108.179.235.108192.168.2.3220 TLS go ahead
                      Apr 6, 2021 12:41:49.212441921 CEST58749752108.179.235.108192.168.2.3220-gator4253.hostgator.com ESMTP Exim 4.93 #2 Tue, 06 Apr 2021 05:41:49 -0500
                      220-We do not authorize the use of this system to transport unsolicited,
                      220 and/or bulk e-mail.
                      Apr 6, 2021 12:41:49.212722063 CEST49752587192.168.2.3108.179.235.108EHLO 760639
                      Apr 6, 2021 12:41:49.373460054 CEST58749752108.179.235.108192.168.2.3250-gator4253.hostgator.com Hello 760639 [84.17.52.79]
                      250-SIZE 52428800
                      250-8BITMIME
                      250-PIPELINING
                      250-AUTH PLAIN LOGIN
                      250-STARTTLS
                      250 HELP
                      Apr 6, 2021 12:41:49.374119043 CEST49752587192.168.2.3108.179.235.108STARTTLS
                      Apr 6, 2021 12:41:49.538451910 CEST58749752108.179.235.108192.168.2.3220 TLS go ahead

                      Code Manipulations

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Start time:12:38:32
                      Start date:06/04/2021
                      Path:C:\Users\user\Desktop\ddff.exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Users\user\Desktop\ddff.exe'
                      Imagebase:0x400000
                      File size:122880 bytes
                      MD5 hash:DED56210E4491797F704B4B0525238D8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Visual Basic
                      Reputation:low

                      General

                      Start time:12:39:57
                      Start date:06/04/2021
                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Users\user\Desktop\ddff.exe'
                      Imagebase:0xae0000
                      File size:64616 bytes
                      MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000013.00000002.847807886.0000000000F02000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.857079971.000000001DC21000.00000004.00000001.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Start time:12:39:58
                      Start date:06/04/2021
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6b2800000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Disassembly

                      Code Analysis

                      Reset < >