Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report FAKTURA I RACHUNKI.exe

Overview

General Information

Sample Name:FAKTURA I RACHUNKI.exe
Analysis ID:383950
MD5:ac62ebbbf6ec96f48a8cca64793bf8fb
SHA1:c1e10d41d090cb7d0505b46a1b48f3f533aa6aad
SHA256:5708e5be9ec5564f3f16b38f87b0c7a0178274ed580a8566e31a995a80e353bb
Tags:GuLoader
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • FAKTURA I RACHUNKI.exe (PID: 5744 cmdline: 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe' MD5: AC62EBBBF6EC96F48A8CCA64793BF8FB)
    • RegAsm.exe (PID: 5584 cmdline: 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 5612 cmdline: 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "JrBJv6DyR8", "URL: ": "http://KeXrtgodXUi1h.com", "To: ": "syndic8@yandex.com", "ByHost: ": "mail.brimaq.com:587", "Password: ": "UXB9CyQFuVvwdgx", "From: ": "jaen@brimaq.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.608367607.0000000000F81000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 5612JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 5612JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 78.128.8.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 5612, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49751

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: RegAsm.exe.5612.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "JrBJv6DyR8", "URL: ": "http://KeXrtgodXUi1h.com", "To: ": "syndic8@yandex.com", "ByHost: ": "mail.brimaq.com:587", "Password: ": "UXB9CyQFuVvwdgx", "From: ": "jaen@brimaq.com"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: FAKTURA I RACHUNKI.exeVirustotal: Detection: 21%Perma Link
            Source: FAKTURA I RACHUNKI.exeReversingLabs: Detection: 12%
            Source: FAKTURA I RACHUNKI.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 172.217.168.33:443 -> 192.168.2.6:49717 version: TLS 1.2

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://KeXrtgodXUi1h.com
            Source: global trafficTCP traffic: 192.168.2.6:49751 -> 78.128.8.31:587
            Source: Joe Sandbox ViewASN Name: TELEPOINTBG TELEPOINTBG
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficTCP traffic: 192.168.2.6:49751 -> 78.128.8.31:587
            Source: unknownDNS traffic detected: queries for: doc-0s-1k-docs.googleusercontent.com
            Source: RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpString found in binary or memory: http://KeXrtgodXUi1h.com
            Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpString found in binary or memory: http://bbllRW.com
            Source: RegAsm.exe, 00000002.00000002.614735524.000000001DE41000.00000004.00000001.sdmpString found in binary or memory: http://brimaq.com
            Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: RegAsm.exe, 00000002.00000002.609009636.00000000012BB000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: RegAsm.exe, 00000002.00000002.614735524.000000001DE41000.00000004.00000001.sdmpString found in binary or memory: http://mail.brimaq.com
            Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: RegAsm.exe, 00000002.00000002.609009636.00000000012BB000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: RegAsm.exe, 00000002.00000002.609009636.00000000012BB000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0
            Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpString found in binary or memory: https://doc-0s-1k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ilq0gs3h
            Source: RegAsm.exeString found in binary or memory: https://drive.google.com/uc?export=download&id=16YYVHnEy9_-NyGEipJqgNlcMWFoYiAxO
            Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
            Source: RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownHTTPS traffic detected: 172.217.168.33:443 -> 192.168.2.6:49717 version: TLS 1.2
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_0041112C OpenClipboard,

            System Summary:

            barindex
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023450CB NtResumeThread,
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02345294 NtResumeThread,
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_0234533A NtResumeThread,
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02345170 NtResumeThread,
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02345162 NtResumeThread,
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023453E8 NtResumeThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F8525E NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F84E07 NtProtectVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F853E8 NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F85294 NtSetInformationThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F8533A NtSetInformationThread,
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406B0F
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023450CB
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02342036
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02342022
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02340E2E
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_0234087D
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023446F2
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02341CEE
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_0234173A
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02344328
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02342B1B
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02343D76
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02345170
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02342372
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02342379
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02345162
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_0234156B
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02340954
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023447A7
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02341587
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023409E5
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_023439C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_01391900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0139B9B5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013919E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_01397898
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0139EE30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0139AAA8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013987E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013A2020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013A2768
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013A2F6D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013AB740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDA6720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDA5000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDAB288
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB34A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB5D80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB4D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB97D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB8010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDBAC90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDBDF78
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB1108
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB1AD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1CDB1AE8
            Source: FAKTURA I RACHUNKI.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FAKTURA I RACHUNKI.exe, 00000000.00000002.397678090.000000000041A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamespiritu.exe vs FAKTURA I RACHUNKI.exe
            Source: FAKTURA I RACHUNKI.exeBinary or memory string: OriginalFilenamespiritu.exe vs FAKTURA I RACHUNKI.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: FAKTURA I RACHUNKI.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/1@3/2
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_01
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeFile created: C:\Users\user\AppData\Local\Temp\~DF991822A0E7AF3EFE.TMPJump to behavior
            Source: FAKTURA I RACHUNKI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: FAKTURA I RACHUNKI.exeVirustotal: Detection: 21%
            Source: FAKTURA I RACHUNKI.exeReversingLabs: Detection: 12%
            Source: unknownProcess created: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000002.00000002.608367607.0000000000F81000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00402465 pushfd ; iretd
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406C05 push C868CBC8h; retf
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406C0B push C868CBC8h; retf
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406C11 push C868CBC8h; retf
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406C17 push C868CBC8h; retf
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00403281 push dword ptr [edi-4B012F33h]; retf
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00402495 pushfd ; iretd
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00402699 pushfd ; iretd
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00402F70 pushfd ; iretd
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00403703 push fs; ret
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00403329 pushfd ; iretd
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BC9 push C868CBC8h; retf
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BCF push C868CBC8h; retf
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BD5 push C868CBC8h; retf
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BDB push C868CBC8h; retf
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_004051DF pushfd ; iretd
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_004043E0 pushfd ; iretd
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BE1 push C868CBC8h; retf
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BE7 push C868CBC8h; retf
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BED push C868CBC8h; retf
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BF3 push C868CBC8h; retf
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BF9 push C868CBC8h; retf
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_00406BFF push C868CBC8h; retf
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_0234006B push ebx; ret
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02341131 pushfd ; iretd
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02344504 push esi; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_01398478 pushfd ; retf 551Fh
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0139D23C push eax; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013A7A37 push edi; retn 0000h
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013A1E00 push edx; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeRDTSC instruction interceptor: First address: 0000000002342385 second address: 0000000002342385 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F4DA0B46EF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, ax 0x00000020 pop ecx 0x00000021 cmp dl, FFFFFF90h 0x00000024 add edi, edx 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F4DA0B46EDBh 0x0000002c push ecx 0x0000002d cmp dl, bl 0x0000002f call 00007F4DA0B46F0Dh 0x00000034 call 00007F4DA0B46F08h 0x00000039 lfence 0x0000003c mov edx, dword ptr [7FFE0014h] 0x00000042 lfence 0x00000045 ret 0x00000046 mov esi, edx 0x00000048 pushad 0x00000049 rdtsc
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeRDTSC instruction interceptor: First address: 0000000002345485 second address: 0000000002345485 instructions:
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeRDTSC instruction interceptor: First address: 0000000002340984 second address: 0000000002340984 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F80B51 second address: 0000000000F80B51 instructions:
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\qga\qga.exe
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: RegAsm.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeRDTSC instruction interceptor: First address: 0000000002342385 second address: 0000000002342385 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F4DA0B46EF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, ax 0x00000020 pop ecx 0x00000021 cmp dl, FFFFFF90h 0x00000024 add edi, edx 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F4DA0B46EDBh 0x0000002c push ecx 0x0000002d cmp dl, bl 0x0000002f call 00007F4DA0B46F0Dh 0x00000034 call 00007F4DA0B46F08h 0x00000039 lfence 0x0000003c mov edx, dword ptr [7FFE0014h] 0x00000042 lfence 0x00000045 ret 0x00000046 mov esi, edx 0x00000048 pushad 0x00000049 rdtsc
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeRDTSC instruction interceptor: First address: 00000000023424DB second address: 00000000023424DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F4DA05B9491h 0x0000001d popad 0x0000001e call 00007F4DA05B7370h 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeRDTSC instruction interceptor: First address: 0000000002345485 second address: 0000000002345485 instructions:
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeRDTSC instruction interceptor: First address: 0000000002340984 second address: 0000000002340984 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F824DB second address: 0000000000F824DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F4DA0B49021h 0x0000001d popad 0x0000001e call 00007F4DA0B46F00h 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000F80B51 second address: 0000000000F80B51 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F824D8 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1095
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 8754
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4980Thread sleep time: -14757395258967632s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
            Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: RegAsm.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformation

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeThread information set: HideFromDebugger
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F824D8 rdtsc
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeCode function: 0_2_02342E6B LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F822DB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F849C5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F84A48 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F83F39 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00F84310 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F80000
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
            Source: RegAsm.exe, 00000002.00000002.609296297.00000000017B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: RegAsm.exe, 00000002.00000002.609296297.00000000017B0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: RegAsm.exe, 00000002.00000002.609296297.00000000017B0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
            Source: RegAsm.exe, 00000002.00000002.609296297.00000000017B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Tries to harvest and steal ftp login credentialsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: Yara matchFile source: 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211DLL Side-Loading1Process Injection112Disable or Modify Tools1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion341LSASS MemorySecurity Software Discovery631Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSVirtualization/Sandbox Evasion341Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol112SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery313Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 383950 Sample: FAKTURA I RACHUNKI.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 24 Found malware configuration 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Sigma detected: RegAsm connects to smtp port 2->28 30 6 other signatures 2->30 7 FAKTURA I RACHUNKI.exe 1 2->7         started        process3 signatures4 32 Writes to foreign memory regions 7->32 34 Tries to detect Any.run 7->34 36 Hides threads from debuggers 7->36 10 RegAsm.exe 9 7->10         started        14 RegAsm.exe 7->14         started        process5 dnsIp6 18 brimaq.com 78.128.8.31, 49751, 587 TELEPOINTBG Bulgaria 10->18 20 mail.brimaq.com 10->20 22 2 other IPs or domains 10->22 38 Tries to steal Mail credentials (via file access) 10->38 40 Tries to harvest and steal ftp login credentials 10->40 42 Tries to harvest and steal browser information (history, passwords, etc) 10->42 52 2 other signatures 10->52 16 conhost.exe 10->16         started        44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->46 48 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 14->48 50 Tries to detect virtualization through RDTSC time measurements 14->50 signatures7 process8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            FAKTURA I RACHUNKI.exe21%VirustotalBrowse
            FAKTURA I RACHUNKI.exe12%ReversingLabsWin32.Trojan.Generic

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            brimaq.com0%VirustotalBrowse
            mail.brimaq.com1%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
            http://brimaq.com0%VirustotalBrowse
            http://brimaq.com0%Avira URL Cloudsafe
            http://mail.brimaq.com0%Avira URL Cloudsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            http://KeXrtgodXUi1h.com0%Avira URL Cloudsafe
            http://bbllRW.com0%Avira URL Cloudsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            http://r3.i.lencr.org/00%URL Reputationsafe
            http://r3.i.lencr.org/00%URL Reputationsafe
            http://r3.i.lencr.org/00%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            brimaq.com
            		78.128.8.31
            		truetrueunknown
            googlehosted.l.googleusercontent.com
            		172.217.168.33
            		truefalse
              		high
              mail.brimaq.com
              		unknown
              		unknowntrueunknown
              doc-0s-1k-docs.googleusercontent.com
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://KeXrtgodXUi1h.comtrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://DynDns.comDynDNSRegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://cps.letsencrypt.org0RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://doc-0s-1k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ilq0gs3hRegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpfalse
                  		high
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://crl.pki.goog/GTS1O1core.crl0RegAsm.exe, 00000002.00000002.609009636.00000000012BB000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://brimaq.comRegAsm.exe, 00000002.00000002.614735524.000000001DE41000.00000004.00000001.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://mail.brimaq.comRegAsm.exe, 00000002.00000002.614735524.000000001DE41000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://r3.o.lencr.org0RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://pki.goog/gsr2/GTS1O1.crt0RegAsm.exe, 00000002.00000002.609009636.00000000012BB000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://crl.pki.goog/gsr2/gsr2.crl0?RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://pki.goog/repository/0RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://bbllRW.comRegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://cps.root-x1.letsencrypt.org0RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://r3.i.lencr.org/0RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  172.217.168.33
                  		googlehosted.l.googleusercontent.comUnited States
                  		15169GOOGLEUSfalse
                  78.128.8.31
                  		brimaq.comBulgaria
                  		31083TELEPOINTBGtrue

                  General Information

                  Joe Sandbox Version:31.0.0 Emerald
                  Analysis ID:383950
                  Start date:08.04.2021
                  Start time:12:58:33
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 7m 14s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:FAKTURA I RACHUNKI.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:22
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@6/1@3/2
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 51.5% (good quality ratio 26.6%)
                  • Quality average: 29.1%
                  • Quality standard deviation: 32.4%
                  HCA Information:
                  • Successful, ratio: 97%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                  • TCP Packets have been reduced to 100
                  • Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.42.151.234, 13.64.90.137, 20.82.210.154, 172.217.168.14, 23.10.249.26, 23.10.249.43, 104.43.139.144, 67.26.73.254, 67.26.81.254, 8.241.90.126, 8.238.27.126, 8.241.89.254, 52.155.217.156, 20.54.26.129, 104.43.193.48, 52.147.198.201, 95.100.54.203, 20.82.209.183
                  • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  13:00:03API Interceptor652x Sleep call for process: RegAsm.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  TELEPOINTBG0AX4532QWSA.xlsxGet hashmaliciousBrowse
                  • 217.174.152.38
                  INV8222874744_20210111490395.xlsmGet hashmaliciousBrowse
                  • 217.174.149.3
                  spetsifikatsiya.xlsGet hashmaliciousBrowse
                  • 79.124.76.20
                  spetsifikatsiya.xlsGet hashmaliciousBrowse
                  • 79.124.76.20
                  document-1932597637.xlsGet hashmaliciousBrowse
                  • 217.174.152.52
                  document-1932597637.xlsGet hashmaliciousBrowse
                  • 217.174.152.52
                  document-1961450761.xlsGet hashmaliciousBrowse
                  • 217.174.152.52
                  document-1909441643.xlsGet hashmaliciousBrowse
                  • 217.174.152.52
                  document-1961450761.xlsGet hashmaliciousBrowse
                  • 217.174.152.52
                  document-1909441643.xlsGet hashmaliciousBrowse
                  • 217.174.152.52
                  document-1942925331.xlsGet hashmaliciousBrowse
                  • 217.174.152.52
                  document-1942925331.xlsGet hashmaliciousBrowse
                  • 217.174.152.52
                  document-1892683183.xlsGet hashmaliciousBrowse
                  • 217.174.152.52
                  document-1892683183.xlsGet hashmaliciousBrowse
                  • 217.174.152.52
                  document-1909894964.xlsGet hashmaliciousBrowse
                  • 217.174.152.52
                  document-1909894964.xlsGet hashmaliciousBrowse
                  • 217.174.152.52
                  document-1965918496.xlsGet hashmaliciousBrowse
                  • 217.174.152.52
                  document-1965918496.xlsGet hashmaliciousBrowse
                  • 217.174.152.52
                  document-1901557343.xlsGet hashmaliciousBrowse
                  • 217.174.152.52
                  document-1901557343.xlsGet hashmaliciousBrowse
                  • 217.174.152.52

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  37f463bf4616ecd445d4a1937da06e19WDnE51mua6.exeGet hashmaliciousBrowse
                  • 172.217.168.33
                  ikoAImKWvI.exeGet hashmaliciousBrowse
                  • 172.217.168.33
                  V7UnYc7CCN.exeGet hashmaliciousBrowse
                  • 172.217.168.33
                  SM25.vbsGet hashmaliciousBrowse
                  • 172.217.168.33
                  FQ45.vbsGet hashmaliciousBrowse
                  • 172.217.168.33
                  Signed pages of agreement copy.htmlGet hashmaliciousBrowse
                  • 172.217.168.33
                  Payment Report.htmlGet hashmaliciousBrowse
                  • 172.217.168.33
                  dMeVLLeyLc.exeGet hashmaliciousBrowse
                  • 172.217.168.33
                  avast_secure_browser_setup.exeGet hashmaliciousBrowse
                  • 172.217.168.33
                  PaymentAdvice-copy.htmGet hashmaliciousBrowse
                  • 172.217.168.33
                  57fvgYpwnN.exeGet hashmaliciousBrowse
                  • 172.217.168.33
                  8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xlsGet hashmaliciousBrowse
                  • 172.217.168.33
                  9mm case for ROYAL METAL INDUSTRIES 3milmonth Specification drawings.exeGet hashmaliciousBrowse
                  • 172.217.168.33
                  Scan emco Bautechni specification.ppsGet hashmaliciousBrowse
                  • 172.217.168.33
                  Lista e porosive te blerjes.exeGet hashmaliciousBrowse
                  • 172.217.168.33
                  Notice-039539.xlsmGet hashmaliciousBrowse
                  • 172.217.168.33
                  IMG_767893434432.exeGet hashmaliciousBrowse
                  • 172.217.168.33
                  OH76.vbsGet hashmaliciousBrowse
                  • 172.217.168.33
                  INVOICE_.EXEGet hashmaliciousBrowse
                  • 172.217.168.33
                  FED8GODpaD.xlsbGet hashmaliciousBrowse
                  • 172.217.168.33

                  Dropped Files

                  No context

                  Created / dropped Files

                  \Device\ConDrv
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):30
                  Entropy (8bit):3.964735178725505
                  Encrypted:false
                  SSDEEP:3:IBVFBWAGRHneyy:ITqAGRHner
                  MD5:9F754B47B351EF0FC32527B541420595
                  SHA1:006C66220B33E98C725B73495FE97B3291CE14D9
                  SHA-256:0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
                  SHA-512:C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: NordVPN directory not found!..

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):5.820730298106959
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.15%
                  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:FAKTURA I RACHUNKI.exe
                  File size:126976
                  MD5:ac62ebbbf6ec96f48a8cca64793bf8fb
                  SHA1:c1e10d41d090cb7d0505b46a1b48f3f533aa6aad
                  SHA256:5708e5be9ec5564f3f16b38f87b0c7a0178274ed580a8566e31a995a80e353bb
                  SHA512:3e6581e22319fa6adc526ee5c62352ccf0b45a7f519d9fa82c060acce7e6df1feac6ea971865866b113d6470a325939cc330a1e6f343c70d90eb1ffd14309951
                  SSDEEP:1536:f3GouBdGoPd3YqbfztVcOOTb3kCQv5i8+FMOihGo:fGZBdGcO0tVcOO/vQY8tOihG
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L.....zT.....................`....................@................

                  File Icon

                  Icon Hash:0ccea09899191898

                  Static PE Info

                  General

                  Entrypoint:0x4016bc
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                  DLL Characteristics:
                  Time Stamp:0x547AB41E [Sun Nov 30 06:07:26 2014 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:b99d75676bd131a32dd8593967e4443d

                  Entrypoint Preview

                  Instruction
                  push 0041091Ch
                  call 00007F4DA0B864F3h
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  xor byte ptr [eax], al
                  add byte ptr [eax], al
                  inc eax
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add ch, dh
                  call far 40C9h : A7DC1FC2h
                  stosd
                  mov es, word ptr [eax-509AA2ADh]
                  stc
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add dword ptr [eax], eax
                  add byte ptr [eax], al
                  insd
                  popad
                  xor dword ptr [bx+si], esp
                  push esp
                  jc 00007F4DA0B86563h
                  jo 00007F4DA0B86567h
                  jp 00007F4DA0B8656Bh
                  popad
                  insb
                  add byte ptr [ecx+67h], ch
                  push 00202074h
                  add byte ptr [eax], al
                  add bh, bh
                  int3
                  xor dword ptr [eax], eax
                  sub byte ptr [eax-4Dh], ah
                  into
                  lodsd
                  pop edx
                  mov cs, word ptr [ebp+eax*2-78h]
                  jnle 00007F4DA0B86566h
                  cmp byte ptr [edi-61h], al
                  push 1519A6C9h
                  mov gs, word ptr [ecx]
                  hlt
                  inc esp
                  inc ebx
                  cmp dword ptr [D1967FB6h], 4F3A498Dh
                  lodsd
                  xor ebx, dword ptr [ecx-48EE309Ah]
                  or al, 00h
                  stosb
                  add byte ptr [eax-2Dh], ah
                  xchg eax, ebx
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  das
                  int1
                  add byte ptr [eax], al
                  rol byte ptr [eax+eax+00h], cl
                  add byte ptr [636F5300h], al
                  imul esp, dword ptr [ecx+00h], 0006010Dh
                  outsb
                  jne 00007F4DA0B86575h
                  jns 00007F4DA0B86572h
                  add byte ptr [ecx], bl
                  add dword ptr [eax], eax

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x187540x28.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x4856.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                  IMAGE_DIRECTORY_ENTRY_IAT0x10000x160.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x17cd80x18000False0.399688720703data6.38244790313IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .data0x190000xaf40x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .rsrc0x1a0000x48560x5000False0.414111328125data4.36134725027IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_ICON0x1c2ae0x25a8data
                  RT_ICON0x1b2060x10a8data
                  RT_ICON0x1a87e0x988data
                  RT_ICON0x1a4160x468GLS_BINARY_LSB_FIRST
                  RT_GROUP_ICON0x1a3d80x3edata
                  RT_VERSION0x1a1800x258dataEnglishUnited States

                  Imports

                  DLLImport
                  MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaVarForInit, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, __vbaAryCopy, _allmul, __vbaLateIdSt, _CItan, __vbaFPInt, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

                  Version Infos

                  DescriptionData
                  Translation0x0409 0x04b0
                  InternalNamespiritu
                  FileVersion3.00
                  CompanyNameSalty
                  CommentsSalty
                  ProductNameSalty
                  ProductVersion3.00
                  FileDescriptionSalty
                  OriginalFilenamespiritu.exe

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Apr 8, 2021 12:59:54.076888084 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.088737965 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.088859081 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.089565992 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.101257086 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.113404989 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.113428116 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.113444090 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.113456011 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.113595009 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.130697012 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.142597914 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.142709017 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.143599033 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.159888029 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.354562998 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.354589939 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.354608059 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.354626894 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.354655981 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.354758024 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.354823112 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.355194092 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.355216026 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.355305910 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.355993032 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.356015921 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.356112957 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.356779099 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.356802940 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.356880903 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.357748985 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.357769012 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.357866049 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.364959955 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.365125895 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.366472960 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.366497993 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.366682053 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.366864920 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.367209911 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.367291927 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.367693901 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.367894888 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.367980003 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.368638992 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.368758917 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.368822098 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.368874073 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.369818926 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.369843960 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.369930029 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.370223999 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.370275021 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.370357037 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.371006966 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.371105909 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.371113062 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.371175051 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.371829033 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.371851921 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.371922016 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.371952057 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.372915030 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.372982979 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.373075962 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.373658895 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.373719931 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.373898029 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.374234915 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.374309063 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.374337912 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.374456882 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.375217915 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.375255108 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.375348091 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.375797033 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.376125097 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.378381968 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.378416061 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.378458977 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.378469944 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.378506899 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.378515005 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.379914045 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.379949093 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.380044937 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.380048037 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.380075932 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.380146980 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.380645990 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.380678892 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.380744934 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.380775928 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.380812883 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.381489992 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.381524086 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.381567955 CEST44349717172.217.168.33192.168.2.6
                  Apr 8, 2021 12:59:54.381623030 CEST49717443192.168.2.6172.217.168.33
                  Apr 8, 2021 12:59:54.381665945 CEST49717443192.168.2.6172.217.168.33

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Apr 8, 2021 12:59:31.325407982 CEST6426753192.168.2.68.8.8.8
                  Apr 8, 2021 12:59:31.338635921 CEST53642678.8.8.8192.168.2.6
                  Apr 8, 2021 12:59:31.957942009 CEST4944853192.168.2.68.8.8.8
                  Apr 8, 2021 12:59:31.970499992 CEST53494488.8.8.8192.168.2.6
                  Apr 8, 2021 12:59:34.149878025 CEST6034253192.168.2.68.8.8.8
                  Apr 8, 2021 12:59:34.163836002 CEST53603428.8.8.8192.168.2.6
                  Apr 8, 2021 12:59:35.499371052 CEST6134653192.168.2.68.8.8.8
                  Apr 8, 2021 12:59:35.513375044 CEST53613468.8.8.8192.168.2.6
                  Apr 8, 2021 12:59:36.672579050 CEST5177453192.168.2.68.8.8.8
                  Apr 8, 2021 12:59:36.684636116 CEST53517748.8.8.8192.168.2.6
                  Apr 8, 2021 12:59:37.636022091 CEST5602353192.168.2.68.8.8.8
                  Apr 8, 2021 12:59:37.648880005 CEST53560238.8.8.8192.168.2.6
                  Apr 8, 2021 12:59:38.655216932 CEST5838453192.168.2.68.8.8.8
                  Apr 8, 2021 12:59:38.668001890 CEST53583848.8.8.8192.168.2.6
                  Apr 8, 2021 12:59:50.976676941 CEST6026153192.168.2.68.8.8.8
                  Apr 8, 2021 12:59:50.988904953 CEST53602618.8.8.8192.168.2.6
                  Apr 8, 2021 12:59:53.282546043 CEST5606153192.168.2.68.8.8.8
                  Apr 8, 2021 12:59:53.308614016 CEST53560618.8.8.8192.168.2.6
                  Apr 8, 2021 12:59:54.047566891 CEST5833653192.168.2.68.8.8.8
                  Apr 8, 2021 12:59:54.074717999 CEST53583368.8.8.8192.168.2.6
                  Apr 8, 2021 12:59:56.837440014 CEST5378153192.168.2.68.8.8.8
                  Apr 8, 2021 12:59:56.857350111 CEST53537818.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:08.197259903 CEST5406453192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:08.212652922 CEST53540648.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:09.260449886 CEST5281153192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:09.273159981 CEST53528118.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:10.023032904 CEST5529953192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:10.035923958 CEST53552998.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:13.818162918 CEST6374553192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:13.831867933 CEST53637458.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:16.318934917 CEST5005553192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:16.385103941 CEST53500558.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:16.939888954 CEST6137453192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:16.952446938 CEST53613748.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:17.401299000 CEST5033953192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:17.414516926 CEST53503398.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:17.548805952 CEST6330753192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:17.561593056 CEST53633078.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:17.919332027 CEST4969453192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:17.933033943 CEST53496948.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:18.206734896 CEST5498253192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:18.233263016 CEST53549828.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:18.381154060 CEST5001053192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:18.394428015 CEST53500108.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:18.676812887 CEST6371853192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:18.689332962 CEST53637188.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:18.810220003 CEST6211653192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:18.823066950 CEST53621168.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:19.197959900 CEST6381653192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:19.257272959 CEST53638168.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:19.876759052 CEST5501453192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:19.890892029 CEST53550148.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:20.724663019 CEST6220853192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:20.737973928 CEST53622088.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:21.184771061 CEST5757453192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:21.198182106 CEST53575748.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:21.658407927 CEST5181853192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:21.807991982 CEST53518188.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:29.075272083 CEST5662853192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:29.094196081 CEST53566288.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:35.899086952 CEST6077853192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:35.912130117 CEST53607788.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:36.710695982 CEST5379953192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:36.723328114 CEST53537998.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:37.692277908 CEST5468353192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:37.704863071 CEST53546838.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:38.838335991 CEST5932953192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:38.851082087 CEST53593298.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:41.063921928 CEST6402153192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:41.076550007 CEST53640218.8.8.8192.168.2.6
                  Apr 8, 2021 13:00:54.385833025 CEST5612953192.168.2.68.8.8.8
                  Apr 8, 2021 13:00:54.399205923 CEST53561298.8.8.8192.168.2.6
                  Apr 8, 2021 13:01:00.012593031 CEST5817753192.168.2.68.8.8.8
                  Apr 8, 2021 13:01:00.025682926 CEST53581778.8.8.8192.168.2.6
                  Apr 8, 2021 13:01:02.281184912 CEST5070053192.168.2.68.8.8.8
                  Apr 8, 2021 13:01:02.294496059 CEST53507008.8.8.8192.168.2.6
                  Apr 8, 2021 13:01:29.743458033 CEST5406953192.168.2.68.8.8.8
                  Apr 8, 2021 13:01:29.796550989 CEST53540698.8.8.8192.168.2.6
                  Apr 8, 2021 13:01:29.808728933 CEST6117853192.168.2.68.8.8.8
                  Apr 8, 2021 13:01:29.821937084 CEST53611788.8.8.8192.168.2.6

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Apr 8, 2021 12:59:54.047566891 CEST192.168.2.68.8.8.80xeb1aStandard query (0)doc-0s-1k-docs.googleusercontent.comA (IP address)IN (0x0001)
                  Apr 8, 2021 13:01:29.743458033 CEST192.168.2.68.8.8.80x5d4Standard query (0)mail.brimaq.comA (IP address)IN (0x0001)
                  Apr 8, 2021 13:01:29.808728933 CEST192.168.2.68.8.8.80x5f64Standard query (0)mail.brimaq.comA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Apr 8, 2021 12:59:54.074717999 CEST8.8.8.8192.168.2.60xeb1aNo error (0)doc-0s-1k-docs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                  Apr 8, 2021 12:59:54.074717999 CEST8.8.8.8192.168.2.60xeb1aNo error (0)googlehosted.l.googleusercontent.com172.217.168.33A (IP address)IN (0x0001)
                  Apr 8, 2021 13:01:29.796550989 CEST8.8.8.8192.168.2.60x5d4No error (0)mail.brimaq.combrimaq.comCNAME (Canonical name)IN (0x0001)
                  Apr 8, 2021 13:01:29.796550989 CEST8.8.8.8192.168.2.60x5d4No error (0)brimaq.com78.128.8.31A (IP address)IN (0x0001)
                  Apr 8, 2021 13:01:29.821937084 CEST8.8.8.8192.168.2.60x5f64No error (0)mail.brimaq.combrimaq.comCNAME (Canonical name)IN (0x0001)
                  Apr 8, 2021 13:01:29.821937084 CEST8.8.8.8192.168.2.60x5f64No error (0)brimaq.com78.128.8.31A (IP address)IN (0x0001)

                  HTTPS Packets

                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                  Apr 8, 2021 12:59:54.113456011 CEST172.217.168.33443192.168.2.649717CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Mar 16 20:32:57 CET 2021 Thu Jun 15 02:00:42 CEST 2017Tue Jun 08 21:32:56 CEST 2021 Wed Dec 15 01:00:42 CET 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                  CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021

                  SMTP Packets

                  TimestampSource PortDest PortSource IPDest IPCommands
                  Apr 8, 2021 13:01:29.992228985 CEST5874975178.128.8.31192.168.2.6220-srvr.laprimeracloud08.com ESMTP Exim 4.94 #2 Thu, 08 Apr 2021 13:01:30 +0200
                  220-We do not authorize the use of this system to transport unsolicited,
                  220 and/or bulk e-mail.
                  Apr 8, 2021 13:01:29.992747068 CEST49751587192.168.2.678.128.8.31EHLO 910646
                  Apr 8, 2021 13:01:30.036658049 CEST5874975178.128.8.31192.168.2.6250-srvr.laprimeracloud08.com Hello 910646 [185.32.222.8]
                  250-SIZE 52428800
                  250-8BITMIME
                  250-PIPELINING
                  250-X_PIPE_CONNECT
                  250-AUTH PLAIN LOGIN
                  250-STARTTLS
                  250 HELP
                  Apr 8, 2021 13:01:30.037194967 CEST49751587192.168.2.678.128.8.31STARTTLS
                  Apr 8, 2021 13:01:30.085578918 CEST5874975178.128.8.31192.168.2.6220 TLS go ahead

                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: FAKTURA I RACHUNKI.exe PID: 5744 Parent PID: 5792

                  General

                  Start time:12:59:27
                  Start date:08/04/2021
                  Path:C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
                  Imagebase:0x400000
                  File size:126976 bytes
                  MD5 hash:AC62EBBBF6EC96F48A8CCA64793BF8FB
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:Visual Basic
                  Reputation:low

                  Analysis Process: RegAsm.exe PID: 5584 Parent PID: 5744

                  General

                  Start time:12:59:40
                  Start date:08/04/2021
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Wow64 process (32bit):false
                  Commandline:'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
                  Imagebase:0xb0000
                  File size:64616 bytes
                  MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: RegAsm.exe PID: 5612 Parent PID: 5744

                  General

                  Start time:12:59:40
                  Start date:08/04/2021
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
                  Imagebase:0xba0000
                  File size:64616 bytes
                  MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000002.00000002.608367607.0000000000F81000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmp, Author: Joe Security
                  Reputation:high

                  Analysis Process: conhost.exe PID: 5608 Parent PID: 5612

                  General

                  Start time:12:59:41
                  Start date:08/04/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff61de10000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Disassembly

                  Code Analysis

                  Reset < >