Loading ...

Play interactive tourEdit tour

Analysis Report Ordine d'acquisto 240517_04062021.exe

Overview

General Information

Sample Name:Ordine d'acquisto 240517_04062021.exe
Analysis ID:382848
MD5:c81b0ec94cb5bc1e76b355d7e1125a48
SHA1:ed6f7c97ab1d9cc4dec729c591243ce5285136f1
SHA256:51b0a2f869f9fe39cc1860dec5ef153af89e00c4a8c3b4c813cdd30cdebc0b11
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Installs a global keyboard hook
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Ordine d'acquisto 240517_04062021.exe (PID: 2160 cmdline: 'C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exe' MD5: C81B0EC94CB5BC1E76B355D7E1125A48)
    • RegAsm.exe (PID: 5324 cmdline: 'C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 1044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "sFYXIfZKCzm3DG", "URL: ": "https://dex62ukWey0O8Y.net", "To: ": "", "ByHost: ": "smtp.yandex.com:587", "Password: ": "5XOud", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.750710271.0000000001162000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 5324JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 5324JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 5324, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49743

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: RegAsm.exe.5324.18.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "sFYXIfZKCzm3DG", "URL: ": "https://dex62ukWey0O8Y.net", "To: ": "", "ByHost: ": "smtp.yandex.com:587", "Password: ": "5XOud", "From: ": ""}
            Multi AV Scanner detection for submitted fileShow sources
            Source: Ordine d'acquisto 240517_04062021.exeVirustotal: Detection: 20%Perma Link
            Source: Ordine d'acquisto 240517_04062021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: unknownHTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.7:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 23.21.140.41:443 -> 192.168.2.7:49742 version: TLS 1.2
            Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000012.00000002.759248902.0000000020920000.00000002.00000001.sdmp

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://dex62ukWey0O8Y.net
            May check the online IP address of the machineShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeDNS query: name: api.ipify.org
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeDNS query: name: api.ipify.org
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeDNS query: name: api.ipify.org
            Source: global trafficTCP traffic: 192.168.2.7:49743 -> 77.88.21.158:587
            Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
            Source: Joe Sandbox ViewIP Address: 23.21.140.41 23.21.140.41
            Source: Joe Sandbox ViewIP Address: 23.21.140.41 23.21.140.41
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficTCP traffic: 192.168.2.7:49743 -> 77.88.21.158:587
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DCDA09A recv,
            Source: unknownDNS traffic detected: queries for: doc-0o-6o-docs.googleusercontent.com
            Source: RegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000012.00000002.758794914.00000000201B3000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: RegAsm.exe, 00000012.00000002.758794914.00000000201B3000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: RegAsm.exe, 00000012.00000003.699422242.0000000001618000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 00000012.00000003.699422242.0000000001618000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: RegAsm.exe, 00000012.00000003.699422242.0000000001618000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: RegAsm.exe, 00000012.00000002.758794914.00000000201B3000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
            Source: RegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpString found in binary or memory: http://nafUNc.com
            Source: RegAsm.exe, 00000012.00000002.758794914.00000000201B3000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: RegAsm.exe, 00000012.00000003.699422242.0000000001618000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: RegAsm.exe, 00000012.00000003.699422242.0000000001618000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: RegAsm.exe, 00000012.00000002.758794914.00000000201B3000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
            Source: RegAsm.exe, 00000012.00000003.699422242.0000000001618000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: RegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
            Source: RegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
            Source: RegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/(
            Source: RegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
            Source: RegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
            Source: RegAsm.exe, 00000012.00000003.699495875.00000000015E8000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: RegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpString found in binary or memory: https://dex62ukWey0O8Y.net
            Source: RegAsm.exe, 00000012.00000002.751551309.0000000001580000.00000004.00000020.sdmpString found in binary or memory: https://doc-0o-6o-docs.googleusercontent.com/
            Source: RegAsm.exe, 00000012.00000002.751551309.0000000001580000.00000004.00000020.sdmpString found in binary or memory: https://doc-0o-6o-docs.googleusercontent.com/(
            Source: RegAsm.exe, 00000012.00000003.699511713.00000000015F0000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.699495875.00000000015E8000.00000004.00000001.sdmpString found in binary or memory: https://doc-0o-6o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/vkk0ofrs
            Source: RegAsm.exe, 00000012.00000002.751568208.000000000158B000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
            Source: RegAsm.exe, 00000012.00000002.751568208.000000000158B000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/H
            Source: RegAsm.exeString found in binary or memory: https://drive.google.com/uc?export=download&id=1LSC9ldiGFuCAvjiVIQm80wF9sXRE3FgX
            Source: RegAsm.exe, 00000012.00000002.751568208.000000000158B000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1LSC9ldiGFuCAvjiVIQm80wF9sXRE3FgX3
            Source: RegAsm.exe, 00000012.00000003.699422242.0000000001618000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
            Source: RegAsm.exe, 00000012.00000002.758794914.00000000201B3000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: RegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownHTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.7:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 23.21.140.41:443 -> 192.168.2.7:49742 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Installs a global keyboard hookShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeCode function: 1_2_004145C0 OpenClipboard,
            Source: Ordine d'acquisto 240517_04062021.exe, 00000001.00000002.472933771.000000000070A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASS

            System Summary:

            barindex
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeProcess Stats: CPU usage > 98%
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01168843 NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01168308 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01168923 NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01168960 NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_0116898C NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_011689C1 NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_011689FB NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_0116885F NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_0116888F NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_011688C3 NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01168306 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01168B7A NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_0116879B NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01168BAE NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01168A53 NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01168A8F NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01168AFF NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DCDB0BA NtQuerySystemInformation,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DCDB089 NtQuerySystemInformation,
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeCode function: 1_2_004071E2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1D8C8D10
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1D8CC4A8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1D8CCCB8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1D8CF0B0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1D8CD46F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1D8C1288
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1D8C3248
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DDFE220
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_20F00440
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_20F00431
            Source: Ordine d'acquisto 240517_04062021.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Ordine d'acquisto 240517_04062021.exe, 00000001.00000000.226049397.0000000000419000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameQuic2.exe vs Ordine d'acquisto 240517_04062021.exe
            Source: Ordine d'acquisto 240517_04062021.exe, 00000001.00000002.474278863.0000000002AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQuic2.exeFE2X vs Ordine d'acquisto 240517_04062021.exe
            Source: Ordine d'acquisto 240517_04062021.exe, 00000001.00000002.474278863.0000000002AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQuic2.exeFE2XI< vs Ordine d'acquisto 240517_04062021.exe
            Source: Ordine d'acquisto 240517_04062021.exe, 00000001.00000002.474278863.0000000002AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQuic2.exeFE2X{= vs Ordine d'acquisto 240517_04062021.exe
            Source: Ordine d'acquisto 240517_04062021.exe, 00000001.00000002.474278863.0000000002AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQuic2.exeFE2XD# vs Ordine d'acquisto 240517_04062021.exe
            Source: Ordine d'acquisto 240517_04062021.exe, 00000001.00000002.474278863.0000000002AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQuic2.exeFE2Xv vs Ordine d'acquisto 240517_04062021.exe
            Source: Ordine d'acquisto 240517_04062021.exe, 00000001.00000002.474278863.0000000002AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQuic2.exeFE2XC& vs Ordine d'acquisto 240517_04062021.exe
            Source: Ordine d'acquisto 240517_04062021.exeBinary or memory string: OriginalFilenameQuic2.exe vs Ordine d'acquisto 240517_04062021.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: security.dll
            Source: Ordine d'acquisto 240517_04062021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DCDAF3E AdjustTokenPrivileges,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DCDAF07 AdjustTokenPrivileges,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1044:120:WilError_01
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DF914D3DD4F5334E25.TMPJump to behavior
            Source: Ordine d'acquisto 240517_04062021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Ordine d'acquisto 240517_04062021.exeVirustotal: Detection: 20%
            Source: unknownProcess created: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exe 'C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exe'
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000012.00000002.759248902.0000000020920000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000012.00000002.750710271.0000000001162000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5324, type: MEMORY
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeCode function: 1_2_00404E46 pushfd ; iretd
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeCode function: 1_2_00404047 pushfd ; iretd
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeCode function: 1_2_00408204 push es; retf
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeCode function: 1_2_004020CC pushfd ; iretd
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeCode function: 1_2_00402EE8 push dword ptr [edi-4B012F33h]; retf
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeCode function: 1_2_004020FC pushfd ; iretd
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeCode function: 1_2_0040808A push ecx; iretd
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeCode function: 1_2_0040336A push fs; ret
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeCode function: 1_2_00402300 pushfd ; iretd
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeCode function: 1_2_00402BD7 pushfd ; iretd
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeCode function: 1_2_00402F90 pushfd ; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01163760 pushfd ; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01167AE0 pushad ; retn 3135h
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1D8C9407 push edx; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1D8CCA18 push edx; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1D8CDE77 push eax; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DDF86E8 push eax; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DDFA983 push esp; retf
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DDFE17D push ecx; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DDFD975 push eax; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DDF2168 push 40341DDBh; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DDFD924 push eax; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DDFD8D5 push eax; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DDFD4CC push eax; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DDFB0C3 push ebx; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DDFD4EE push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DDFD4E3 push eax; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DDFD3E3 push esi; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DDF1EF8 push 62441DDBh; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1DDFF228 push esi; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_20F01F87 push ebp; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01167CD4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01166AA5
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeRDTSC instruction interceptor: First address: 0000000000513BC4 second address: 0000000000513BC4 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F4A64DED3A8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007F4A64DED36Bh 0x00000026 push ecx 0x00000027 jmp 00007F4A64DED3C6h 0x00000029 test bl, cl 0x0000002b call 00007F4A64DED3E1h 0x00000030 call 00007F4A64DED3B8h 0x00000035 lfence 0x00000038 mov edx, dword ptr [7FFE0014h] 0x0000003e lfence 0x00000041 ret 0x00000042 mov esi, edx 0x00000044 pushad 0x00000045 rdtsc
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeRDTSC instruction interceptor: First address: 0000000000513E5B second address: 0000000000513E69 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a ret 0x0000000b jmp 00007F4A64DED3CAh 0x0000000d cmp dx, ax 0x00000010 pop ecx 0x00000011 cmp bh, bh 0x00000013 test dl, bl 0x00000015 cmp edx, 31h 0x00000018 jnle 00007F4A64DED3A9h 0x0000001a add edi, edx 0x0000001c jmp 00007F4A64DED3C2h 0x0000001e cmp ecx, C1845AD3h 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F4A64DED32Eh 0x0000002a push ecx 0x0000002b call 00007F4A64DED490h 0x00000030 call 00007F4A64DED427h 0x00000035 lfence 0x00000038 rdtsc
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeRDTSC instruction interceptor: First address: 0000000000514467 second address: 0000000000514467 instructions:
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeRDTSC instruction interceptor: First address: 000000000051350A second address: 000000000051350A instructions:
            Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFunction Chain: threadResumed,memAlloc,threadDelayed,memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,processSet,memAlloc,memAlloc,memAlloc,memAlloc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFunction Chain: systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,processSet,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,systemQueried,threadDelayed
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Tries to detect Any.runShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exe
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: RegAsm.exe, 00000012.00000002.751568208.000000000158B000.00000004.00000020.sdmpBinary or memory string: ROGRAM FILES\QEMU-GA\QEMU-GA.EXEH<Z
            Source: Ordine d'acquisto 240517_04062021.exe, 00000001.00000002.472968872.0000000000721000.00000004.00000020.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEP
            Source: RegAsm.exe, 00000012.00000002.750710271.0000000001162000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeRDTSC instruction interceptor: First address: 0000000000513BC4 second address: 0000000000513BC4 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F4A64DED3A8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007F4A64DED36Bh 0x00000026 push ecx 0x00000027 jmp 00007F4A64DED3C6h 0x00000029 test bl, cl 0x0000002b call 00007F4A64DED3E1h 0x00000030 call 00007F4A64DED3B8h 0x00000035 lfence 0x00000038 mov edx, dword ptr [7FFE0014h] 0x0000003e lfence 0x00000041 ret 0x00000042 mov esi, edx 0x00000044 pushad 0x00000045 rdtsc
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeRDTSC instruction interceptor: First address: 0000000000513E69 second address: 0000000000513E69 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F4A64399DA5h 0x0000001d popad 0x0000001e call 00007F4A643968CFh 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeRDTSC instruction interceptor: First address: 0000000000513E5B second address: 0000000000513E69 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a ret 0x0000000b jmp 00007F4A64DED3CAh 0x0000000d cmp dx, ax 0x00000010 pop ecx 0x00000011 cmp bh, bh 0x00000013 test dl, bl 0x00000015 cmp edx, 31h 0x00000018 jnle 00007F4A64DED3A9h 0x0000001a add edi, edx 0x0000001c jmp 00007F4A64DED3C2h 0x0000001e cmp ecx, C1845AD3h 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F4A64DED32Eh 0x0000002a push ecx 0x0000002b call 00007F4A64DED490h 0x00000030 call 00007F4A64DED427h 0x00000035 lfence 0x00000038 rdtsc
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeRDTSC instruction interceptor: First address: 0000000000514467 second address: 0000000000514467 instructions:
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeRDTSC instruction interceptor: First address: 000000000051350A second address: 000000000051350A instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001163E69 second address: 0000000001163E69 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F4A64399DA5h 0x0000001d popad 0x0000001e call 00007F4A643968CFh 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_0116751B rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 719
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4660Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4660Thread sleep time: -21570000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4660Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4660Thread sleep time: -59564s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4660Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 30000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 30000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 30000
            Source: Ordine d'acquisto 240517_04062021.exe, 00000001.00000002.472968872.0000000000721000.00000004.00000020.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exep
            Source: RegAsm.exe, 00000012.00000002.759061489.0000000020510000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: RegAsm.exe, 00000012.00000002.751568208.000000000158B000.00000004.00000020.sdmpBinary or memory string: rogram Files\Qemu-ga\qemu-ga.exeh<z
            Source: RegAsm.exe, 00000012.00000002.751568208.000000000158B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: RegAsm.exe, 00000012.00000002.759061489.0000000020510000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: RegAsm.exe, 00000012.00000002.750710271.0000000001162000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: RegAsm.exe, 00000012.00000002.759061489.0000000020510000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: RegAsm.exe, 00000012.00000002.751699349.00000000015DC000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWpz
            Source: RegAsm.exe, 00000012.00000002.759061489.0000000020510000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformation

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebugger
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebugger
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_0116751B rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01164E73 LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_011639AB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01166804 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01166026 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01166028 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01167CD7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01167CD4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: Debug
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guard
            Source: RegAsm.exe, 00000012.00000002.752228406.0000000001A80000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
            Source: RegAsm.exe, 00000012.00000002.752228406.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: RegAsm.exe, 00000012.00000002.752228406.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: RegAsm.exe, 00000012.00000002.752228406.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5324, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Tries to harvest and steal ftp login credentialsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: Yara matchFile source: 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5324, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5324, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools11OS Credential Dumping2System Information Discovery413Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsAccess Token Manipulation1Obfuscated Files or Information1Input Capture111Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Process Injection2DLL Side-Loading1Security Account ManagerSecurity Software Discovery731SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion341NTDSProcess Discovery2Distributed Component Object ModelInput Capture111Scheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptAccess Token Manipulation1LSA SecretsVirtualization/Sandbox Evasion341SSHClipboard Data2Data Transfer Size LimitsApplication Layer Protocol112Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection2Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Network Configuration Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Ordine d'acquisto 240517_04062021.exe20%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
            http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            https://sectigo.com/CPS00%URL Reputationsafe
            https://sectigo.com/CPS00%URL Reputationsafe
            https://sectigo.com/CPS00%URL Reputationsafe
            https://dex62ukWey0O8Y.net0%Avira URL Cloudsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            http://nafUNc.com0%Avira URL Cloudsafe
            https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
            https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
            https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            elb097307-934924932.us-east-1.elb.amazonaws.com
            23.21.140.41
            truefalse
              high
              smtp.yandex.ru
              77.88.21.158
              truefalse
                high
                googlehosted.l.googleusercontent.com
                172.217.23.33
                truefalse
                  high
                  smtp.yandex.com
                  unknown
                  unknownfalse
                    high
                    doc-0o-6o-docs.googleusercontent.com
                    unknown
                    unknownfalse
                      high
                      api.ipify.org
                      unknown
                      unknownfalse
                        high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://dex62ukWey0O8Y.nettrue
                        • Avira URL Cloud: safe
                        unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/RegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpfalse
                          high
                          http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#RegAsm.exe, 00000012.00000002.758794914.00000000201B3000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://doc-0o-6o-docs.googleusercontent.com/RegAsm.exe, 00000012.00000002.751551309.0000000001580000.00000004.00000020.sdmpfalse
                            high
                            http://127.0.0.1:HTTP/1.1RegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            low
                            https://api.ipify.orgRegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpfalse
                              high
                              http://DynDns.comDynDNSRegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://sectigo.com/CPS0RegAsm.exe, 00000012.00000002.758794914.00000000201B3000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://ocsp.sectigo.com0RegAsm.exe, 00000012.00000002.758794914.00000000201B3000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://crl.pki.goog/GTS1O1core.crl0RegAsm.exe, 00000012.00000003.699422242.0000000001618000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://doc-0o-6o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/vkk0ofrsRegAsm.exe, 00000012.00000003.699511713.00000000015F0000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.699495875.00000000015E8000.00000004.00000001.sdmpfalse
                                high
                                http://pki.goog/gsr2/GTS1O1.crt0RegAsm.exe, 00000012.00000003.699422242.0000000001618000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://crl.pki.goog/gsr2/gsr2.crl0?RegAsm.exe, 00000012.00000003.699422242.0000000001618000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://pki.goog/repository/0RegAsm.exe, 00000012.00000003.699422242.0000000001618000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xRegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpfalse
                                  high
                                  https://api.ipify.org/(RegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpfalse
                                    high
                                    https://doc-0o-6o-docs.googleusercontent.com/(RegAsm.exe, 00000012.00000002.751551309.0000000001580000.00000004.00000020.sdmpfalse
                                      high
                                      http://nafUNc.comRegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://api.ipify.orgGETMozilla/5.0RegAsm.exe, 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      172.217.23.33
                                      googlehosted.l.googleusercontent.comUnited States
                                      15169GOOGLEUSfalse
                                      77.88.21.158
                                      smtp.yandex.ruRussian Federation
                                      13238YANDEXRUfalse
                                      23.21.140.41
                                      elb097307-934924932.us-east-1.elb.amazonaws.comUnited States
                                      14618AMAZON-AESUSfalse

                                      General Information

                                      Joe Sandbox Version:31.0.0 Emerald
                                      Analysis ID:382848
                                      Start date:06.04.2021
                                      Start time:18:51:46
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 8m 49s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:Ordine d'acquisto 240517_04062021.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:29
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@3/1@3/3
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:
                                      • Successful, ratio: 97.9% (good quality ratio 46.5%)
                                      • Quality average: 28.2%
                                      • Quality standard deviation: 34.8%
                                      HCA Information:
                                      • Successful, ratio: 98%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      • Override analysis time to 240s for sample files taking high CPU consumption
                                      Warnings:
                                      Show All
                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                      • TCP Packets have been reduced to 100
                                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                      • Excluded IPs from analysis (whitelisted): 92.122.145.220, 204.79.197.200, 13.107.21.200, 52.255.188.83, 104.43.139.144, 52.147.198.201, 23.57.80.111, 13.88.21.125, 20.82.210.154, 2.20.142.210, 2.20.142.209, 8.241.90.126, 8.238.85.254, 8.238.85.126, 8.238.35.126, 67.26.83.254, 20.190.159.136, 20.190.159.134, 40.126.31.8, 20.190.159.138, 40.126.31.141, 40.126.31.6, 40.126.31.1, 40.126.31.137, 92.122.213.247, 92.122.213.194, 172.217.20.238, 52.155.217.156, 20.54.26.129
                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      18:54:38API Interceptor1044x Sleep call for process: RegAsm.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      77.88.21.158Order 01042021-V728394-H16.pdf.exeGet hashmaliciousBrowse
                                        RFQ#EX50GO_pdf.exeGet hashmaliciousBrowse
                                          TRANSACTION_INTTRANSFER_1617266945242 MEDICON_PDF.exeGet hashmaliciousBrowse
                                            Shandong CIRS Form.exeGet hashmaliciousBrowse
                                              DHL_DELIVERY_CONFIRMATION_CBJ002042021068506.exeGet hashmaliciousBrowse
                                                REQUEST QUOTATION BID..pdf.exeGet hashmaliciousBrowse
                                                  RFQ#ZAEL67012_doc.exeGet hashmaliciousBrowse
                                                    Q99Eljz7IT.exeGet hashmaliciousBrowse
                                                      SecuriteInfo.com.Trojan.PackedNET.576.12750.exeGet hashmaliciousBrowse
                                                        Swift Copy Against due Invoice.PDF.exeGet hashmaliciousBrowse
                                                          PO#ZA3MMA_pdf.exeGet hashmaliciousBrowse
                                                            kfMrlKSN4F.exeGet hashmaliciousBrowse
                                                              xjvIB3Wkvk.exeGet hashmaliciousBrowse
                                                                Placement approval.exeGet hashmaliciousBrowse
                                                                  DHL INV+AWB5501980113371714001.pdf___.exeGet hashmaliciousBrowse
                                                                    83MlDEF8fD.exeGet hashmaliciousBrowse
                                                                      5DhRNTGBUk.exeGet hashmaliciousBrowse
                                                                        WEF2WOfWeo.exeGet hashmaliciousBrowse
                                                                          PAYMENT-FB21026518_10493_PINQ_20210216_PDF.exeGet hashmaliciousBrowse
                                                                            payment advice.pdf.exeGet hashmaliciousBrowse
                                                                              23.21.140.41Jg5HD77Nyo.exeGet hashmaliciousBrowse
                                                                              • api.ipify.org/?format=xml
                                                                              msals.dllGet hashmaliciousBrowse
                                                                              • api.ipify.org/
                                                                              0302_21678088538951.docGet hashmaliciousBrowse
                                                                              • api.ipify.org/?format=xml
                                                                              Static.dllGet hashmaliciousBrowse
                                                                              • api.ipify.org/
                                                                              RFQ- 978002410.exeGet hashmaliciousBrowse
                                                                              • api.ipify.org/
                                                                              E2ucBaWqpe.exeGet hashmaliciousBrowse
                                                                              • api.ipify.org/?format=xml
                                                                              0210_1723194332604.docGet hashmaliciousBrowse
                                                                              • api.ipify.org/?format=xml
                                                                              SecuriteInfo.com.Generic.mg.a7d038f64060412d.exeGet hashmaliciousBrowse
                                                                              • api.ipify.org/?format=xml
                                                                              SecuriteInfo.com.BehavesLike.Win32.Generic.pm.exeGet hashmaliciousBrowse
                                                                              • api.ipify.org/
                                                                              0fiasS.dllGet hashmaliciousBrowse
                                                                              • api.ipify.org/?format=xml
                                                                              0fiasS.dllGet hashmaliciousBrowse
                                                                              • api.ipify.org/
                                                                              DyssrxQNS8.exeGet hashmaliciousBrowse
                                                                              • api.ipify.org/?format=xml
                                                                              W0rd.dllGet hashmaliciousBrowse
                                                                              • api.ipify.org/
                                                                              Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exeGet hashmaliciousBrowse
                                                                              • api.ipify.org/
                                                                              02_extracted.exeGet hashmaliciousBrowse
                                                                              • api.ipify.org/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              elb097307-934924932.us-east-1.elb.amazonaws.commsals.pumpl.dllGet hashmaliciousBrowse
                                                                              • 107.22.233.72
                                                                              0406_37400496097832.docGet hashmaliciousBrowse
                                                                              • 54.225.157.230
                                                                              FN vw Safety 1 & 2.exeGet hashmaliciousBrowse
                                                                              • 54.225.165.85
                                                                              MV TBN.uslfze.exeGet hashmaliciousBrowse
                                                                              • 23.21.48.44
                                                                              iUavNne3hp.exeGet hashmaliciousBrowse
                                                                              • 23.21.76.253
                                                                              7919bd3d8ee49fb1803f25bd73682f5fde4164ad65230.exeGet hashmaliciousBrowse
                                                                              • 50.19.242.215
                                                                              45ed95c173fd2df5f05f42c2121698db4484f032344c8.exeGet hashmaliciousBrowse
                                                                              • 54.235.175.90
                                                                              L87N50MbDG.exeGet hashmaliciousBrowse
                                                                              • 54.225.165.85
                                                                              msals.pumpl.dllGet hashmaliciousBrowse
                                                                              • 23.21.48.44
                                                                              z2t2UjaWQ0.exeGet hashmaliciousBrowse
                                                                              • 54.235.175.90
                                                                              30QD3GAnw7.exeGet hashmaliciousBrowse
                                                                              • 54.225.157.230
                                                                              4QVwajpcdz.exeGet hashmaliciousBrowse
                                                                              • 54.221.253.252
                                                                              8uADV5QTqx.exeGet hashmaliciousBrowse
                                                                              • 50.19.252.36
                                                                              scan-100218.docmGet hashmaliciousBrowse
                                                                              • 54.225.165.85
                                                                              FB11.exeGet hashmaliciousBrowse
                                                                              • 23.21.76.253
                                                                              6PKQHgSfco.exeGet hashmaliciousBrowse
                                                                              • 54.225.157.230
                                                                              msals.pumpl.dllGet hashmaliciousBrowse
                                                                              • 54.243.164.148
                                                                              5YB4gJt3c7.exeGet hashmaliciousBrowse
                                                                              • 54.221.253.252
                                                                              t7pQaphHHn.exeGet hashmaliciousBrowse
                                                                              • 54.235.83.248
                                                                              MGTrWXtimL.exeGet hashmaliciousBrowse
                                                                              • 50.19.242.215
                                                                              smtp.yandex.ruOrder 01042021-V728394-H16.pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              RFQ#EX50GO_pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              TRANSACTION_INTTRANSFER_1617266945242 MEDICON_PDF.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Shandong CIRS Form.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              DHL_DELIVERY_CONFIRMATION_CBJ002042021068506.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              REQUEST QUOTATION BID..pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              RFQ#ZAEL67012_doc.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Q99Eljz7IT.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              SecuriteInfo.com.Trojan.PackedNET.576.12750.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Swift Copy Against due Invoice.PDF.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              PO#ZA3MMA_pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              kfMrlKSN4F.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              xjvIB3Wkvk.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Placement approval.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              DHL INV+AWB5501980113371714001.pdf___.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              83MlDEF8fD.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              EVpfhXQLoN.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              0LyaS3hVE5.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              5DhRNTGBUk.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              WEF2WOfWeo.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158

                                                                              ASN

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              YANDEXRU_VmailMessage_Wave19922626.htmlGet hashmaliciousBrowse
                                                                              • 77.88.21.179
                                                                              Order 01042021-V728394-H16.pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              RFQ#EX50GO_pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              TRANSACTION_INTTRANSFER_1617266945242 MEDICON_PDF.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Shandong CIRS Form.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              DHL_DELIVERY_CONFIRMATION_CBJ002042021068506.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              REQUEST QUOTATION BID..pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              RFQ#ZAEL67012_doc.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Q99Eljz7IT.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              SecuriteInfo.com.Trojan.PackedNET.576.12750.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Swift Copy Against due Invoice.PDF.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              scan-100218.docmGet hashmaliciousBrowse
                                                                              • 93.158.134.119
                                                                              PO#ZA3MMA_pdf.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              kfMrlKSN4F.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              xjvIB3Wkvk.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              Placement approval.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              DHL INV+AWB5501980113371714001.pdf___.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              83MlDEF8fD.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              u8A8Qy5S7O.exeGet hashmaliciousBrowse
                                                                              • 87.250.250.22
                                                                              5DhRNTGBUk.exeGet hashmaliciousBrowse
                                                                              • 77.88.21.158
                                                                              AMAZON-AESUS0406_37400496097832.docGet hashmaliciousBrowse
                                                                              • 54.225.157.230
                                                                              RFQ11_ZIM2021pdf.exeGet hashmaliciousBrowse
                                                                              • 100.24.184.24
                                                                              RFQ-V-SAM-0321D056-DOC.exeGet hashmaliciousBrowse
                                                                              • 52.71.133.130
                                                                              FN vw Safety 1 & 2.exeGet hashmaliciousBrowse
                                                                              • 54.225.165.85
                                                                              MV TBN.uslfze.exeGet hashmaliciousBrowse
                                                                              • 23.21.48.44
                                                                              TT COPY.exeGet hashmaliciousBrowse
                                                                              • 52.20.218.92
                                                                              iUavNne3hp.exeGet hashmaliciousBrowse
                                                                              • 23.21.76.253
                                                                              Reports-018315.xlsmGet hashmaliciousBrowse
                                                                              • 34.205.48.95
                                                                              Reports-018315.xlsmGet hashmaliciousBrowse
                                                                              • 34.205.48.95
                                                                              Reports-018315.xlsmGet hashmaliciousBrowse
                                                                              • 34.205.48.95
                                                                              Financial Doc.htmlGet hashmaliciousBrowse
                                                                              • 3.222.43.26
                                                                              anchor_x64.exeGet hashmaliciousBrowse
                                                                              • 52.20.197.7
                                                                              PaymentInvoice.exeGet hashmaliciousBrowse
                                                                              • 34.202.122.77
                                                                              SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                              • 3.223.115.185
                                                                              7919bd3d8ee49fb1803f25bd73682f5fde4164ad65230.exeGet hashmaliciousBrowse
                                                                              • 50.19.242.215
                                                                              45ed95c173fd2df5f05f42c2121698db4484f032344c8.exeGet hashmaliciousBrowse
                                                                              • 54.235.175.90
                                                                              L87N50MbDG.exeGet hashmaliciousBrowse
                                                                              • 54.225.165.85
                                                                              befQY8YuZp.exeGet hashmaliciousBrowse
                                                                              • 52.6.206.192
                                                                              38da70826e367c9808b135717c5ea31e4e69ef03eef30.exeGet hashmaliciousBrowse
                                                                              • 52.6.206.192
                                                                              wzdu53.exeGet hashmaliciousBrowse
                                                                              • 34.231.69.13

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              3b5074b1b5d032e5620f69f9f700ff0ePurchase Order.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              visa-eth.com-Setup.exe.danger.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              PO#.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              Matrix.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              Matrix.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              PowerShell_Input.ps1Get hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              OUR PO NO. CWI19150.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              hostsvc.dllGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              FN vw Safety 1 & 2.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              MV TBN.uslfze.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              Launcher.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              ORDER.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              KUWAIT NATIONAL PETROLEUM COMPANY (KNPC).pdf.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              TW#9898748948-TZE.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              Order PONSB 04042021.pdf(939MB).exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              dAbE67VwvD.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              extremeinjectorv3.7.2.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              Setup[1].exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              Donate_Caper_Fixed.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              DCRatBuild.exeGet hashmaliciousBrowse
                                                                              • 23.21.140.41
                                                                              37f463bf4616ecd445d4a1937da06e19catalogue-41.xlsbGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              ddff.exeGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              Doc_58YJ54-521DERG701-55YH701.exeGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              1e#U0414.exeGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              svhost.exeGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              beaconxx.exeGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              _VmailMessage_Wave19922626.htmlGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              5H957qLghX.exeGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              FK58.vbsGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              ZgaBWrz3HH.exeGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              RFQ#8086A_461A_0000086_300_3550_2021.exeGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              wzdu53.exeGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              Opik_lk.exeGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              document-895003104.xlsGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              Dimmock5.exeGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              pQlSDfwyYkf.jsGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              Balance payment..exeGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              pQlSDfwyYkf.jsGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              document-1641473761.xlsGet hashmaliciousBrowse
                                                                              • 172.217.23.33
                                                                              ObJRDAd8jZ.exeGet hashmaliciousBrowse
                                                                              • 172.217.23.33

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              \Device\ConDrv
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):30
                                                                              Entropy (8bit):3.964735178725505
                                                                              Encrypted:false
                                                                              SSDEEP:3:IBVFBWAGRHneyy:ITqAGRHner
                                                                              MD5:9F754B47B351EF0FC32527B541420595
                                                                              SHA1:006C66220B33E98C725B73495FE97B3291CE14D9
                                                                              SHA-256:0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
                                                                              SHA-512:C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview: NordVPN directory not found!..

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):5.730320746181446
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.15%
                                                                              • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:Ordine d'acquisto 240517_04062021.exe
                                                                              File size:122880
                                                                              MD5:c81b0ec94cb5bc1e76b355d7e1125a48
                                                                              SHA1:ed6f7c97ab1d9cc4dec729c591243ce5285136f1
                                                                              SHA256:51b0a2f869f9fe39cc1860dec5ef153af89e00c4a8c3b4c813cdd30cdebc0b11
                                                                              SHA512:1ec18a5d8f7c04b95cc52d9edf25eb64654775c66738df2092a0a4e22c246e77de1887e889acbe477c116b861797d8c5126b6fdadf2ad4b8e2c5035328bd4be4
                                                                              SSDEEP:3072:MGZBQh333333333333333333333334xDe2IDriZ2wWit+6ihG:t+h33333333333333333333333YfIv5v
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L......N.................p...`......(.............@................

                                                                              File Icon

                                                                              Icon Hash:0ccea09899191898

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x401328
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                              DLL Characteristics:
                                                                              Time Stamp:0x4EF40617 [Fri Dec 23 04:39:51 2011 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:efa774b90ad6b9ab8c4fabb031ebe78d

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              push 00413E20h
                                                                              call 00007F4A64A05A35h
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              xor byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              cmp byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              wait
                                                                              mov cl, AAh
                                                                              rcr dword ptr [esi-03h], cl
                                                                              inc edx
                                                                              mov ebx, 5E4FAF49h
                                                                              mov al, byte ptr [0000DE8Eh]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add dword ptr [eax], eax
                                                                              add byte ptr [eax], al
                                                                              inc ecx
                                                                              add byte ptr [esi+66018250h], al
                                                                              jc 00007F4A64A05AA7h
                                                                              insd
                                                                              add byte ptr [esi+0000022Fh], ah
                                                                              add byte ptr [eax], al
                                                                              dec esp
                                                                              xor dword ptr [eax], eax
                                                                              sub ch, dh
                                                                              mov dword ptr [9F8E37B2h], eax
                                                                              pop es
                                                                              inc esi
                                                                              mov ah, 4Fh
                                                                              wait

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x176140x28.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x484e.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x10000xd4.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x16a040x17000False0.344864555027data6.19080638319IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                              .data0x180000xa880x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x190000x484e0x5000False0.41416015625data4.36110878625IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              RT_ICON0x1b2a60x25a8data
                                                                              RT_ICON0x1a1fe0x10a8data
                                                                              RT_ICON0x198760x988data
                                                                              RT_ICON0x1940e0x468GLS_BINARY_LSB_FIRST
                                                                              RT_GROUP_ICON0x193d00x3edata
                                                                              RT_VERSION0x191800x250dataEnglishUnited States

                                                                              Imports

                                                                              DLLImport
                                                                              MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaVarForInit, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, __vbaVarForNext, _CIexp, __vbaFreeStr, __vbaFreeObj

                                                                              Version Infos

                                                                              DescriptionData
                                                                              Translation0x0409 0x04b0
                                                                              InternalNameQuic2
                                                                              FileVersion3.00
                                                                              CompanyNameSalty
                                                                              CommentsSalty
                                                                              ProductNameSalty
                                                                              ProductVersion3.00
                                                                              FileDescriptionSalty
                                                                              OriginalFilenameQuic2.exe

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishUnited States

                                                                              Network Behavior

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Apr 6, 2021 18:54:27.079484940 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.119896889 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.120019913 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.120778084 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.161086082 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.174860954 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.174901009 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.174927950 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.174952030 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.174971104 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.175005913 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.192457914 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.233161926 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.233257055 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.235057116 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.279968977 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.492690086 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.492717981 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.492733002 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.492749929 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.492763042 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.492827892 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.492893934 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.495436907 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.495455027 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.495510101 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.495543957 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.498260021 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.498281002 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.498328924 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.498359919 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.501091003 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.501107931 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.501159906 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.501192093 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.503946066 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.503964901 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.504033089 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.504066944 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.506354094 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.506421089 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.507683992 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.507749081 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.533988953 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.534009933 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.534058094 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.534132004 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.535352945 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.535375118 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.535408974 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.535448074 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.538177013 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.538217068 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.538244963 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.538275003 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.541028023 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.541048050 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.541095972 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.541121006 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.543849945 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.543868065 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.543922901 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.543942928 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.546725988 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.546742916 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.546793938 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.546834946 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.549515963 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.549535036 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.549604893 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.549628973 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.552376986 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.552390099 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.552565098 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.555228949 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.555250883 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.555775881 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.557689905 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.557724953 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.557766914 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.557816982 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.560244083 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.560276985 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.560319901 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.560368061 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.562839031 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.562860966 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.562908888 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.562933922 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.565434933 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.565454960 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.565495968 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.565526962 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.568022966 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.568042040 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.568092108 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.568125010 CEST49730443192.168.2.7172.217.23.33
                                                                              Apr 6, 2021 18:54:27.570672989 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.570691109 CEST44349730172.217.23.33192.168.2.7
                                                                              Apr 6, 2021 18:54:27.570741892 CEST49730443192.168.2.7172.217.23.33

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Apr 6, 2021 18:52:27.043487072 CEST6245253192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:52:27.100406885 CEST53624528.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:52:27.198561907 CEST5782053192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:52:27.269776106 CEST53578208.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:52:30.119698048 CEST5084853192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:52:30.165960073 CEST53508488.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:52:31.219028950 CEST6124253192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:52:31.267676115 CEST53612428.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:52:32.870345116 CEST5856253192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:52:32.916373014 CEST53585628.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:52:34.543693066 CEST5659053192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:52:34.589579105 CEST53565908.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:52:35.341646910 CEST6050153192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:52:35.390599966 CEST53605018.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:52:37.283277035 CEST5377553192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:52:37.329569101 CEST53537758.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:52:38.342735052 CEST5183753192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:52:38.388812065 CEST53518378.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:52:39.517055035 CEST5541153192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:52:39.566643953 CEST53554118.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:52:40.420792103 CEST6366853192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:52:40.480279922 CEST53636688.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:52:48.466373920 CEST5464053192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:52:48.514775038 CEST53546408.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:52:52.945040941 CEST5873953192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:52:52.991061926 CEST53587398.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:52:53.745815039 CEST6033853192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:52:53.795988083 CEST53603388.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:52:54.513411045 CEST5871753192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:52:54.569854021 CEST53587178.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:53:00.096822023 CEST5976253192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:53:00.142946959 CEST53597628.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:53:01.047570944 CEST5432953192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:53:01.093612909 CEST53543298.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:53:05.238318920 CEST5805253192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:53:05.296926022 CEST53580528.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:53:12.758459091 CEST5400853192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:53:12.804546118 CEST53540088.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:53:13.713293076 CEST5945153192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:53:13.761545897 CEST53594518.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:53:14.656886101 CEST5291453192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:53:14.703078032 CEST53529148.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:53:15.452898026 CEST6456953192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:53:15.501919031 CEST53645698.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:53:16.298557043 CEST5281653192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:53:16.352917910 CEST53528168.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:53:17.484208107 CEST5078153192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:53:17.530670881 CEST53507818.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:53:18.332710981 CEST5423053192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:53:18.379271984 CEST53542308.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:53:23.422787905 CEST5491153192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:53:23.478924990 CEST53549118.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:53:24.580077887 CEST4995853192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:53:24.636138916 CEST53499588.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:05.323687077 CEST5086053192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:05.394366026 CEST53508608.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:06.239960909 CEST5045253192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:06.288866043 CEST53504528.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:20.056550980 CEST5973053192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:20.118805885 CEST53597308.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:25.768981934 CEST5931053192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:25.834656000 CEST53593108.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:27.002216101 CEST5191953192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:27.077100039 CEST53519198.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:38.768755913 CEST6429653192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:38.826103926 CEST53642968.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:39.389470100 CEST5668053192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:39.452634096 CEST53566808.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:39.922218084 CEST5882053192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:40.024259090 CEST53588208.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:40.623907089 CEST6098353192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:40.683710098 CEST53609838.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:41.008770943 CEST4924753192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:41.078684092 CEST53492478.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:42.084820986 CEST5228653192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:42.139271021 CEST53522868.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:43.631331921 CEST5606453192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:43.686048985 CEST53560648.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:44.168102026 CEST6374453192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:44.222723007 CEST53637448.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:45.102093935 CEST6145753192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:45.159179926 CEST53614578.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:46.328105927 CEST5836753192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:46.374629974 CEST53583678.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:54:46.845742941 CEST6059953192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:54:46.935544968 CEST53605998.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:55:57.907483101 CEST5957153192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:55:57.955302954 CEST53595718.8.8.8192.168.2.7
                                                                              Apr 6, 2021 18:56:01.264106989 CEST5268953192.168.2.78.8.8.8
                                                                              Apr 6, 2021 18:56:01.318274975 CEST53526898.8.8.8192.168.2.7

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                              Apr 6, 2021 18:54:27.002216101 CEST192.168.2.78.8.8.80xcff5Standard query (0)doc-0o-6o-docs.googleusercontent.comA (IP address)IN (0x0001)
                                                                              Apr 6, 2021 18:55:57.907483101 CEST192.168.2.78.8.8.80x58e5Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                                              Apr 6, 2021 18:56:01.264106989 CEST192.168.2.78.8.8.80x79cfStandard query (0)smtp.yandex.comA (IP address)IN (0x0001)

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                              Apr 6, 2021 18:54:05.394366026 CEST8.8.8.8192.168.2.70x514fNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                              Apr 6, 2021 18:54:27.077100039 CEST8.8.8.8192.168.2.70xcff5No error (0)doc-0o-6o-docs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                              Apr 6, 2021 18:54:27.077100039 CEST8.8.8.8192.168.2.70xcff5No error (0)googlehosted.l.googleusercontent.com172.217.23.33A (IP address)IN (0x0001)
                                                                              Apr 6, 2021 18:55:57.955302954 CEST8.8.8.8192.168.2.70x58e5No error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                                              Apr 6, 2021 18:55:57.955302954 CEST8.8.8.8192.168.2.70x58e5No error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                              Apr 6, 2021 18:55:57.955302954 CEST8.8.8.8192.168.2.70x58e5No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.140.41A (IP address)IN (0x0001)
                                                                              Apr 6, 2021 18:55:57.955302954 CEST8.8.8.8192.168.2.70x58e5No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.221.253.252A (IP address)IN (0x0001)
                                                                              Apr 6, 2021 18:55:57.955302954 CEST8.8.8.8192.168.2.70x58e5No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.252.4A (IP address)IN (0x0001)
                                                                              Apr 6, 2021 18:55:57.955302954 CEST8.8.8.8192.168.2.70x58e5No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.252.36A (IP address)IN (0x0001)
                                                                              Apr 6, 2021 18:55:57.955302954 CEST8.8.8.8192.168.2.70x58e5No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.48.44A (IP address)IN (0x0001)
                                                                              Apr 6, 2021 18:55:57.955302954 CEST8.8.8.8192.168.2.70x58e5No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.175.90A (IP address)IN (0x0001)
                                                                              Apr 6, 2021 18:55:57.955302954 CEST8.8.8.8192.168.2.70x58e5No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.165.85A (IP address)IN (0x0001)
                                                                              Apr 6, 2021 18:55:57.955302954 CEST8.8.8.8192.168.2.70x58e5No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.76.253A (IP address)IN (0x0001)
                                                                              Apr 6, 2021 18:56:01.318274975 CEST8.8.8.8192.168.2.70x79cfNo error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                              Apr 6, 2021 18:56:01.318274975 CEST8.8.8.8192.168.2.70x79cfNo error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)

                                                                              HTTPS Packets

                                                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                              Apr 6, 2021 18:54:27.174952030 CEST172.217.23.33443192.168.2.749730CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Mar 16 20:32:57 CET 2021 Thu Jun 15 02:00:42 CEST 2017Tue Jun 08 21:32:56 CEST 2021 Wed Dec 15 01:00:42 CET 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                              CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021
                                                                              Apr 6, 2021 18:55:58.246937037 CEST23.21.140.41443192.168.2.749742CN=*.ipify.org CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Jan 19 01:00:00 CET 2021 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019 Thu Jan 01 01:00:00 CET 2004Sun Feb 20 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                              CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
                                                                              CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029
                                                                              CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029

                                                                              SMTP Packets

                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                              Apr 6, 2021 18:56:01.762383938 CEST5874974377.88.21.158192.168.2.7220 vla1-ef285479e348.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)

                                                                              Code Manipulations

                                                                              Statistics

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Start time:18:52:34
                                                                              Start date:06/04/2021
                                                                              Path:C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exe'
                                                                              Imagebase:0x400000
                                                                              File size:122880 bytes
                                                                              MD5 hash:C81B0EC94CB5BC1E76B355D7E1125A48
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Visual Basic
                                                                              Reputation:low

                                                                              General

                                                                              Start time:18:54:13
                                                                              Start date:06/04/2021
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\Ordine d'acquisto 240517_04062021.exe'
                                                                              Imagebase:0xd90000
                                                                              File size:53248 bytes
                                                                              MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000012.00000002.750710271.0000000001162000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.757510449.000000001DF11000.00000004.00000001.sdmp, Author: Joe Security
                                                                              Reputation:high

                                                                              General

                                                                              Start time:18:54:14
                                                                              Start date:06/04/2021
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff774ee0000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Disassembly

                                                                              Code Analysis

                                                                              Reset < >