Analysis Report Zapytanie ofertowe (THERMAR 04152021).exe

Overview

General Information

Sample Name:	Zapytanie ofertowe (THERMAR 04152021).exe
Analysis ID:	387921
MD5:	db9c85fd056d349b140e717463f96af7
SHA1:	35c6ade22bb43f1a540ca038685bc9972cf6bea7
SHA256:	e43b31d2b2446cd82a278f282ac128721a9d8b7718524eab066f5ed7eac40c1e
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for submitted file

Sigma detected: RegAsm connects to smtp port

Yara detected AgentTesla

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1BF_RKNN40fiNL_rA9Ky9I27K_BuXgL1x", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
Source: RegAsm.exe.2028.2.memstr	Malware Configuration Extractor: Agenttesla {"Username: ": "vItWU", "URL: ": "https://H59hPIoLS2g1MK.net", "To: ": "barbosabronx@yandex.com", "ByHost: ": "mail.aepa.ws:587", "Password: ": "c5h9ISinvw", "From: ": "info@aepa.ws"}

Multi AV Scanner detection for submitted file

Source: Zapytanie ofertowe (THERMAR 04152021).exe	Virustotal: Detection: 16%			Perma Link
Source: Zapytanie ofertowe (THERMAR 04152021).exe	ReversingLabs: Detection: 14%

Machine Learning detection for sample

Source: Zapytanie ofertowe (THERMAR 04152021).exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: Zapytanie ofertowe (THERMAR 04152021).exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 216.58.214.225:443 -> 192.168.2.22:49166 version: TLS 1.2

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://drive.google.com/uc?export=download&id=1BF_RKNN40fiNL_rA9Ky9I27K_BuXgL1x
Source: Malware configuration extractor	URLs: https://H59hPIoLS2g1MK.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 185.127.128.20:587

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 185.127.128.20:587

Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com3 equals www.linkedin.com (Linkedin)
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: doc-00-74-docs.googleusercontent.com

Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	String found in binary or memory: http://HCWjJU.com
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: RegAsm.exe, 00000002.00000002.3148699743.000000001E16A000.00000004.00000001.sdmp	String found in binary or memory: http://aepa.ws
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegAsm.exe, 00000002.00000002.3144625845.0000000000855000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RegAsm.exe, 00000002.00000002.3148146381.000000001D650000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe, 00000002.00000002.3148291480.000000001D71B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: RegAsm.exe, 00000002.00000002.3148233406.000000001D6A6000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 00000002.00000002.3148233406.000000001D6A6000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000002.00000002.3148291480.000000001D71B000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f07397a481be1
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: RegAsm.exe, 00000002.00000002.3148699743.000000001E16A000.00000004.00000001.sdmp	String found in binary or memory: http://mail.aepa.ws
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: RegAsm.exe, 00000002.00000002.3148146381.000000001D650000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: RegAsm.exe, 00000002.00000002.3144872150.0000000002610000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: RegAsm.exe, 00000002.00000002.3149408902.0000000021550000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: RegAsm.exe, 00000002.00000002.3144872150.0000000002610000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.a-cert.at0E
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certifikat.dk/repository0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: RegAsm.exe, 00000002.00000002.3149242845.0000000020D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.crc.bg0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.firmaprofesional.com0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp	String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.com/1
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: RegAsm.exe, 00000002.00000002.3148657676.000000001E11E000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.3148731419.000000001E194000.00000004.00000001.sdmp	String found in binary or memory: https://H59hPIoLS2g1MK.net
Source: RegAsm.exe, 00000002.00000002.3148657676.000000001E11E000.00000004.00000001.sdmp	String found in binary or memory: https://H59hPIoLS2g1MK.netLX
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000002.00000002.3144572077.00000000007D9000.00000004.00000020.sdmp	String found in binary or memory: https://doc-00-74-docs.googleusercontent.com/GG
Source: RegAsm.exe, 00000002.00000002.3144636278.0000000000869000.00000004.00000020.sdmp	String found in binary or memory: https://doc-00-74-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/1c5gv62u
Source: RegAsm.exe, 00000002.00000002.3144572077.00000000007D9000.00000004.00000020.sdmp	String found in binary or memory: https://doc-00-74-docs.googleusercontent.com/tG
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe	String found in binary or memory: https://drive.google.com/uc?export=download&id=1BF_RKNN40fiNL_rA9Ky9I27K_BuXgL1x
Source: RegAsm.exe, 00000002.00000002.3148146381.000000001D650000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 216.58.214.225:443 -> 192.168.2.22:49166 version: TLS 1.2

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process Stats: CPU usage > 98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00306D48 NtProtectVirtualMemory,	2_2_00306D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307278 NtQueryInformationProcess,	2_2_00307278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307427 NtQueryInformationProcess,	2_2_00307427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307400 NtQueryInformationProcess,	2_2_00307400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307470 NtQueryInformationProcess,	2_2_00307470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030744B NtQueryInformationProcess,	2_2_0030744B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307492 NtQueryInformationProcess,	2_2_00307492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003074DE NtQueryInformationProcess,	2_2_003074DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00306D11 NtProtectVirtualMemory,	2_2_00306D11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307504 NtQueryInformationProcess,	2_2_00307504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307579 NtQueryInformationProcess,	2_2_00307579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307553 NtQueryInformationProcess,	2_2_00307553
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003075AA NtQueryInformationProcess,	2_2_003075AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003075E7 NtQueryInformationProcess,	2_2_003075E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003075CA NtQueryInformationProcess,	2_2_003075CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307621 NtQueryInformationProcess,	2_2_00307621
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307603 NtQueryInformationProcess,	2_2_00307603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307662 NtQueryInformationProcess,	2_2_00307662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003072AF NtQueryInformationProcess,	2_2_003072AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307290 NtQueryInformationProcess,	2_2_00307290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307680 NtQueryInformationProcess,	2_2_00307680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003072F3 NtQueryInformationProcess,	2_2_003072F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003072D2 NtQueryInformationProcess,	2_2_003072D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307336 NtQueryInformationProcess,	2_2_00307336
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307313 NtQueryInformationProcess,	2_2_00307313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030737A NtQueryInformationProcess,	2_2_0030737A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307355 NtQueryInformationProcess,	2_2_00307355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307399 NtQueryInformationProcess,	2_2_00307399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003073DF NtQueryInformationProcess,	2_2_003073DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003073C3 NtQueryInformationProcess,	2_2_003073C3

Detected potential crypto function

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_004095BA	0_2_004095BA
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409CD1	0_2_00409CD1
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040989A	0_2_0040989A
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040A159	0_2_0040A159
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409D62	0_2_00409D62
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040996B	0_2_0040996B
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040A119	0_2_0040A119
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409924	0_2_00409924
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040A1F2	0_2_0040A1F2
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409E40	0_2_00409E40
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409E7F	0_2_00409E7F
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409A01	0_2_00409A01
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409637	0_2_00409637
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00410EC8	0_2_00410EC8
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409685	0_2_00409685
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040A288	0_2_0040A288
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409F0D	0_2_00409F0D
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409711	0_2_00409711
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409FA0	0_2_00409FA0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409BAB	0_2_00409BAB
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_004097AF	0_2_004097AF
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_002E0156	0_2_002E0156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F9050	2_2_006F9050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006FEE88	2_2_006FEE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F5C80	2_2_006F5C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F0168	2_2_006F0168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006FC7E8	2_2_006FC7E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F9620	2_2_006F9620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F2CC8	2_2_006F2CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F3F78	2_2_006F3F78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F834D	2_2_006F834D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F2D28	2_2_006F2D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F25D0	2_2_006F25D0

PE file contains strange resources

Source: Zapytanie ofertowe (THERMAR 04152021).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Zapytanie ofertowe (THERMAR 04152021).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Source: Zapytanie ofertowe (THERMAR 04152021).exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@7/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\KTDIPTU6.txt

Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

File created: C:\Users\user\AppData\Local\Temp\~DF0A81196D88116507.TMP

Jump to behavior

Source: Zapytanie ofertowe (THERMAR 04152021).exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Zapytanie ofertowe (THERMAR 04152021).exe	Virustotal: Detection: 16%
Source: Zapytanie ofertowe (THERMAR 04152021).exe	ReversingLabs: Detection: 14%

Source: unknown	Process created: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY

PE file contains an invalid checksum

Source: Zapytanie ofertowe (THERMAR 04152021).exe

Static PE information: real checksum: 0x20705 should be: 0x2309f

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040C87D pushad ; ret	0_2_0040C8B2
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040C1C5 push 7600FFCEh; iretd	0_2_0040C1CA
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00403191 pushad ; iretd	0_2_00403192
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_004082EC push edi; ret	0_2_004082F4
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_004056FA push FFFFFFB0h; ret	0_2_004056FC
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_002E0052 push edx; ret	0_2_002E005C
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_002E4852 push cs; ret	0_2_002E4853
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_002E5699 push ds; ret	0_2_002E56A6
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_002E0100 push 944EEDE5h; retf	0_2_002E0112

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (71).png

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00303BC7 InternetOpenA,InternetOpenUrlA,	2_2_00303BC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030283F	2_2_0030283F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030287C	2_2_0030287C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003028D5	2_2_003028D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030291A	2_2_0030291A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00302961	2_2_00302961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003029A6	2_2_003029A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00302594 CredGetTargetInfoW,	2_2_00302594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003029F7	2_2_003029F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00302A2D	2_2_00302A2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030620B	2_2_0030620B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00302A77	2_2_00302A77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00303E48	2_2_00303E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00303E82	2_2_00303E82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003066FB	2_2_003066FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00302F2A	2_2_00302F2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003027AE	2_2_003027AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030278C	2_2_0030278C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003027EE	2_2_003027EE

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E060F second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cl, dl 0x0000000c call 00007F0048FFEB15h 0x00000011 test ax, 00008F5Ah 0x00000015 call 00007F0048FFBC1Eh 0x0000001a jmp 00007F0048FFBD6Ah 0x0000001c test edx, D54F987Eh 0x00000022 xor edi, edi 0x00000024 test bx, bx 0x00000027 mov ecx, 00A95F60h 0x0000002c cmp dl, dl 0x0000002e test dh, bh 0x00000030 test cl, dl 0x00000032 push ecx 0x00000033 test bl, dl 0x00000035 call 00007F0048FFBDAEh 0x0000003a call 00007F0048FFBD68h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E334B second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0048E2FB08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F0048E2FB1Ah 0x0000001f cmp al, al 0x00000021 pop ecx 0x00000022 test ch, ch 0x00000024 add edi, edx 0x00000026 test ah, 00000072h 0x00000029 dec ecx 0x0000002a cmp bl, cl 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007F0048E2FACCh 0x00000031 test cl, dl 0x00000033 push ecx 0x00000034 test bl, dl 0x00000036 call 00007F0048E2FB5Eh 0x0000003b call 00007F0048E2FB18h 0x00000040 lfence 0x00000043 mov edx, dword ptr [7FFE0014h] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E3438 second address: 00000000002E3591 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp ebx, edx 0x0000000c jmp 00007F0048E2FB1Ah 0x0000000e test al, 9Dh 0x00000010 push ecx 0x00000011 cmp eax, ebx 0x00000013 test ch, FFFFFFE9h 0x00000016 call 00007F0048E2FBCBh 0x0000001b call 00007F0048E2FB5Dh 0x00000020 lfence 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E0696 second address: 00000000002E0696 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E673B second address: 00000000002E673B instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E40C0 second address: 00000000002E40C0 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E7464 second address: 00000000002E7464 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E76B5 second address: 00000000002E76B5 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000301A80 second address: 0000000000301A80 instructions:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe, 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E060F second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cl, dl 0x0000000c call 00007F0048FFEB15h 0x00000011 test ax, 00008F5Ah 0x00000015 call 00007F0048FFBC1Eh 0x0000001a jmp 00007F0048FFBD6Ah 0x0000001c test edx, D54F987Eh 0x00000022 xor edi, edi 0x00000024 test bx, bx 0x00000027 mov ecx, 00A95F60h 0x0000002c cmp dl, dl 0x0000002e test dh, bh 0x00000030 test cl, dl 0x00000032 push ecx 0x00000033 test bl, dl 0x00000035 call 00007F0048FFBDAEh 0x0000003a call 00007F0048FFBD68h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E334B second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0048E2FB08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F0048E2FB1Ah 0x0000001f cmp al, al 0x00000021 pop ecx 0x00000022 test ch, ch 0x00000024 add edi, edx 0x00000026 test ah, 00000072h 0x00000029 dec ecx 0x0000002a cmp bl, cl 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007F0048E2FACCh 0x00000031 test cl, dl 0x00000033 push ecx 0x00000034 test bl, dl 0x00000036 call 00007F0048E2FB5Eh 0x0000003b call 00007F0048E2FB18h 0x00000040 lfence 0x00000043 mov edx, dword ptr [7FFE0014h] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E3418 second address: 00000000002E3438 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp al, dl 0x0000000d xor edi, edi 0x0000000f test al, cl 0x00000011 mov ecx, 000186A0h 0x00000016 test ax, dx 0x00000019 cmp edx, F977E25Ah 0x0000001f pushad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E3438 second address: 00000000002E3591 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp ebx, edx 0x0000000c jmp 00007F0048E2FB1Ah 0x0000000e test al, 9Dh 0x00000010 push ecx 0x00000011 cmp eax, ebx 0x00000013 test ch, FFFFFFE9h 0x00000016 call 00007F0048E2FBCBh 0x0000001b call 00007F0048E2FB5Dh 0x00000020 lfence 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E3591 second address: 00000000002E3591 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F0048FFE9D4h 0x0000001d popad 0x0000001e call 00007F0048FFBD95h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E0696 second address: 00000000002E0696 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E673B second address: 00000000002E673B instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E40C0 second address: 00000000002E40C0 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E7464 second address: 00000000002E7464 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E76B5 second address: 00000000002E76B5 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000303418 second address: 0000000000303591 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp al, dl 0x0000000d xor edi, edi 0x0000000f test al, cl 0x00000011 mov ecx, 000186A0h 0x00000016 test ax, dx 0x00000019 cmp edx, F977E25Ah 0x0000001f pushad 0x00000020 nop 0x00000021 nop 0x00000022 mov eax, 00000001h 0x00000027 cpuid 0x00000029 popad 0x0000002a cmp ebx, edx 0x0000002c jmp 00007F0048FFBD6Ah 0x0000002e test al, 9Dh 0x00000030 push ecx 0x00000031 cmp eax, ebx 0x00000033 test ch, FFFFFFE9h 0x00000036 call 00007F0048FFBE1Bh 0x0000003b call 00007F0048FFBDADh 0x00000040 lfence 0x00000043 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000303591 second address: 0000000000303591 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F0048E32784h 0x0000001d popad 0x0000001e call 00007F0048E2FB45h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000301A80 second address: 0000000000301A80 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Code function: 0_2_004095BA rdtsc

0_2_004095BA

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Window / User API: threadDelayed 375	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Window / User API: threadDelayed 9625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 9636	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2564	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2100	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2100	Thread sleep time: -120000s >= -30000s	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: RegAsm.exe, 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Code function: 0_2_004095BA rdtsc

0_2_004095BA

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00303A7B LdrInitializeThunk,

2_2_00303A7B

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00303160 mov eax, dword ptr fs:[00000030h]	2_2_00303160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00303162 mov eax, dword ptr fs:[00000030h]	2_2_00303162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003055B8 mov eax, dword ptr fs:[00000030h]	2_2_003055B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003055BA mov eax, dword ptr fs:[00000030h]	2_2_003055BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003055DF mov eax, dword ptr fs:[00000030h]	2_2_003055DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00305E5C mov eax, dword ptr fs:[00000030h]	2_2_00305E5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00305E42 mov eax, dword ptr fs:[00000030h]	2_2_00305E42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003066FB mov eax, dword ptr fs:[00000030h]	2_2_003066FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003066D0 mov eax, dword ptr fs:[00000030h]	2_2_003066D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00306722 mov eax, dword ptr fs:[00000030h]	2_2_00306722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003067B4 mov eax, dword ptr fs:[00000030h]	2_2_003067B4

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 300000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.3144842926.0000000001210000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000002.00000002.3144842926.0000000001210000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000002.00000002.3144842926.0000000001210000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000002.00000002.3148623210.000000001E0CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000002.00000002.3148623210.000000001E0CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.58.214.225	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false
185.127.128.20	aepa.ws	Spain		13287	NIXVALIP-ASNIXVALDatacenterES	true

Contacted Domains

Name	IP	Active
aepa.ws	185.127.128.20	true
googlehosted.l.googleusercontent.com	216.58.214.225	true
doc-00-74-docs.googleusercontent.com	unknown	unknown
mail.aepa.ws	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://H59hPIoLS2g1MK.net	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1BF_RKNN40fiNL_rA9Ky9I27K_BuXgL1x", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
Source: RegAsm.exe.2028.2.memstr	Malware Configuration Extractor: Agenttesla {"Username: ": "vItWU", "URL: ": "https://H59hPIoLS2g1MK.net", "To: ": "barbosabronx@yandex.com", "ByHost: ": "mail.aepa.ws:587", "Password: ": "c5h9ISinvw", "From: ": "info@aepa.ws"}

Multi AV Scanner detection for submitted file

Source: Zapytanie ofertowe (THERMAR 04152021).exe	Virustotal: Detection: 16%			Perma Link
Source: Zapytanie ofertowe (THERMAR 04152021).exe	ReversingLabs: Detection: 14%

Machine Learning detection for sample

Source: Zapytanie ofertowe (THERMAR 04152021).exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: Zapytanie ofertowe (THERMAR 04152021).exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 216.58.214.225:443 -> 192.168.2.22:49166 version: TLS 1.2

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://drive.google.com/uc?export=download&id=1BF_RKNN40fiNL_rA9Ky9I27K_BuXgL1x
Source: Malware configuration extractor	URLs: https://H59hPIoLS2g1MK.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 185.127.128.20:587

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 185.127.128.20:587

Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com3 equals www.linkedin.com (Linkedin)
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: doc-00-74-docs.googleusercontent.com

Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	String found in binary or memory: http://HCWjJU.com
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: RegAsm.exe, 00000002.00000002.3148699743.000000001E16A000.00000004.00000001.sdmp	String found in binary or memory: http://aepa.ws
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegAsm.exe, 00000002.00000002.3144625845.0000000000855000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RegAsm.exe, 00000002.00000002.3148146381.000000001D650000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe, 00000002.00000002.3148291480.000000001D71B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: RegAsm.exe, 00000002.00000002.3148233406.000000001D6A6000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 00000002.00000002.3148233406.000000001D6A6000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000002.00000002.3148291480.000000001D71B000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f07397a481be1
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: RegAsm.exe, 00000002.00000002.3148699743.000000001E16A000.00000004.00000001.sdmp	String found in binary or memory: http://mail.aepa.ws
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: RegAsm.exe, 00000002.00000002.3148146381.000000001D650000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: RegAsm.exe, 00000002.00000002.3144872150.0000000002610000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: RegAsm.exe, 00000002.00000002.3149408902.0000000021550000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: RegAsm.exe, 00000002.00000002.3144872150.0000000002610000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.a-cert.at0E
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certifikat.dk/repository0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: RegAsm.exe, 00000002.00000002.3149242845.0000000020D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.crc.bg0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.firmaprofesional.com0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp	String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.com/1
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: RegAsm.exe, 00000002.00000002.3148657676.000000001E11E000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.3148731419.000000001E194000.00000004.00000001.sdmp	String found in binary or memory: https://H59hPIoLS2g1MK.net
Source: RegAsm.exe, 00000002.00000002.3148657676.000000001E11E000.00000004.00000001.sdmp	String found in binary or memory: https://H59hPIoLS2g1MK.netLX
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000002.00000002.3144572077.00000000007D9000.00000004.00000020.sdmp	String found in binary or memory: https://doc-00-74-docs.googleusercontent.com/GG
Source: RegAsm.exe, 00000002.00000002.3144636278.0000000000869000.00000004.00000020.sdmp	String found in binary or memory: https://doc-00-74-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/1c5gv62u
Source: RegAsm.exe, 00000002.00000002.3144572077.00000000007D9000.00000004.00000020.sdmp	String found in binary or memory: https://doc-00-74-docs.googleusercontent.com/tG
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe	String found in binary or memory: https://drive.google.com/uc?export=download&id=1BF_RKNN40fiNL_rA9Ky9I27K_BuXgL1x
Source: RegAsm.exe, 00000002.00000002.3148146381.000000001D650000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 216.58.214.225:443 -> 192.168.2.22:49166 version: TLS 1.2

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process Stats: CPU usage > 98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00306D48 NtProtectVirtualMemory,	2_2_00306D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307278 NtQueryInformationProcess,	2_2_00307278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307427 NtQueryInformationProcess,	2_2_00307427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307400 NtQueryInformationProcess,	2_2_00307400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307470 NtQueryInformationProcess,	2_2_00307470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030744B NtQueryInformationProcess,	2_2_0030744B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307492 NtQueryInformationProcess,	2_2_00307492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003074DE NtQueryInformationProcess,	2_2_003074DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00306D11 NtProtectVirtualMemory,	2_2_00306D11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307504 NtQueryInformationProcess,	2_2_00307504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307579 NtQueryInformationProcess,	2_2_00307579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307553 NtQueryInformationProcess,	2_2_00307553
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003075AA NtQueryInformationProcess,	2_2_003075AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003075E7 NtQueryInformationProcess,	2_2_003075E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003075CA NtQueryInformationProcess,	2_2_003075CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307621 NtQueryInformationProcess,	2_2_00307621
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307603 NtQueryInformationProcess,	2_2_00307603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307662 NtQueryInformationProcess,	2_2_00307662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003072AF NtQueryInformationProcess,	2_2_003072AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307290 NtQueryInformationProcess,	2_2_00307290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307680 NtQueryInformationProcess,	2_2_00307680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003072F3 NtQueryInformationProcess,	2_2_003072F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003072D2 NtQueryInformationProcess,	2_2_003072D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307336 NtQueryInformationProcess,	2_2_00307336
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307313 NtQueryInformationProcess,	2_2_00307313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030737A NtQueryInformationProcess,	2_2_0030737A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307355 NtQueryInformationProcess,	2_2_00307355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307399 NtQueryInformationProcess,	2_2_00307399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003073DF NtQueryInformationProcess,	2_2_003073DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003073C3 NtQueryInformationProcess,	2_2_003073C3

Detected potential crypto function

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_004095BA	0_2_004095BA
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409CD1	0_2_00409CD1
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040989A	0_2_0040989A
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040A159	0_2_0040A159
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409D62	0_2_00409D62
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040996B	0_2_0040996B
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040A119	0_2_0040A119
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409924	0_2_00409924
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040A1F2	0_2_0040A1F2
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409E40	0_2_00409E40
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409E7F	0_2_00409E7F
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409A01	0_2_00409A01
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409637	0_2_00409637
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00410EC8	0_2_00410EC8
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409685	0_2_00409685
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040A288	0_2_0040A288
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409F0D	0_2_00409F0D
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409711	0_2_00409711
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409FA0	0_2_00409FA0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409BAB	0_2_00409BAB
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_004097AF	0_2_004097AF
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_002E0156	0_2_002E0156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F9050	2_2_006F9050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006FEE88	2_2_006FEE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F5C80	2_2_006F5C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F0168	2_2_006F0168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006FC7E8	2_2_006FC7E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F9620	2_2_006F9620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F2CC8	2_2_006F2CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F3F78	2_2_006F3F78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F834D	2_2_006F834D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F2D28	2_2_006F2D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F25D0	2_2_006F25D0

PE file contains strange resources

Source: Zapytanie ofertowe (THERMAR 04152021).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Zapytanie ofertowe (THERMAR 04152021).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Source: Zapytanie ofertowe (THERMAR 04152021).exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@7/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\KTDIPTU6.txt

Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

File created: C:\Users\user\AppData\Local\Temp\~DF0A81196D88116507.TMP

Jump to behavior

Source: Zapytanie ofertowe (THERMAR 04152021).exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Zapytanie ofertowe (THERMAR 04152021).exe	Virustotal: Detection: 16%
Source: Zapytanie ofertowe (THERMAR 04152021).exe	ReversingLabs: Detection: 14%

Source: unknown	Process created: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY

PE file contains an invalid checksum

Source: Zapytanie ofertowe (THERMAR 04152021).exe

Static PE information: real checksum: 0x20705 should be: 0x2309f

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040C87D pushad ; ret	0_2_0040C8B2
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040C1C5 push 7600FFCEh; iretd	0_2_0040C1CA
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00403191 pushad ; iretd	0_2_00403192
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_004082EC push edi; ret	0_2_004082F4
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_004056FA push FFFFFFB0h; ret	0_2_004056FC
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_002E0052 push edx; ret	0_2_002E005C
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_002E4852 push cs; ret	0_2_002E4853
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_002E5699 push ds; ret	0_2_002E56A6
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_002E0100 push 944EEDE5h; retf	0_2_002E0112

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (71).png

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00303BC7 InternetOpenA,InternetOpenUrlA,	2_2_00303BC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030283F	2_2_0030283F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030287C	2_2_0030287C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003028D5	2_2_003028D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030291A	2_2_0030291A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00302961	2_2_00302961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003029A6	2_2_003029A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00302594 CredGetTargetInfoW,	2_2_00302594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003029F7	2_2_003029F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00302A2D	2_2_00302A2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030620B	2_2_0030620B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00302A77	2_2_00302A77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00303E48	2_2_00303E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00303E82	2_2_00303E82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003066FB	2_2_003066FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00302F2A	2_2_00302F2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003027AE	2_2_003027AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030278C	2_2_0030278C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003027EE	2_2_003027EE

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E060F second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cl, dl 0x0000000c call 00007F0048FFEB15h 0x00000011 test ax, 00008F5Ah 0x00000015 call 00007F0048FFBC1Eh 0x0000001a jmp 00007F0048FFBD6Ah 0x0000001c test edx, D54F987Eh 0x00000022 xor edi, edi 0x00000024 test bx, bx 0x00000027 mov ecx, 00A95F60h 0x0000002c cmp dl, dl 0x0000002e test dh, bh 0x00000030 test cl, dl 0x00000032 push ecx 0x00000033 test bl, dl 0x00000035 call 00007F0048FFBDAEh 0x0000003a call 00007F0048FFBD68h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E334B second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0048E2FB08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F0048E2FB1Ah 0x0000001f cmp al, al 0x00000021 pop ecx 0x00000022 test ch, ch 0x00000024 add edi, edx 0x00000026 test ah, 00000072h 0x00000029 dec ecx 0x0000002a cmp bl, cl 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007F0048E2FACCh 0x00000031 test cl, dl 0x00000033 push ecx 0x00000034 test bl, dl 0x00000036 call 00007F0048E2FB5Eh 0x0000003b call 00007F0048E2FB18h 0x00000040 lfence 0x00000043 mov edx, dword ptr [7FFE0014h] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E3438 second address: 00000000002E3591 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp ebx, edx 0x0000000c jmp 00007F0048E2FB1Ah 0x0000000e test al, 9Dh 0x00000010 push ecx 0x00000011 cmp eax, ebx 0x00000013 test ch, FFFFFFE9h 0x00000016 call 00007F0048E2FBCBh 0x0000001b call 00007F0048E2FB5Dh 0x00000020 lfence 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E0696 second address: 00000000002E0696 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E673B second address: 00000000002E673B instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E40C0 second address: 00000000002E40C0 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E7464 second address: 00000000002E7464 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E76B5 second address: 00000000002E76B5 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000301A80 second address: 0000000000301A80 instructions:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe, 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E060F second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cl, dl 0x0000000c call 00007F0048FFEB15h 0x00000011 test ax, 00008F5Ah 0x00000015 call 00007F0048FFBC1Eh 0x0000001a jmp 00007F0048FFBD6Ah 0x0000001c test edx, D54F987Eh 0x00000022 xor edi, edi 0x00000024 test bx, bx 0x00000027 mov ecx, 00A95F60h 0x0000002c cmp dl, dl 0x0000002e test dh, bh 0x00000030 test cl, dl 0x00000032 push ecx 0x00000033 test bl, dl 0x00000035 call 00007F0048FFBDAEh 0x0000003a call 00007F0048FFBD68h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E334B second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0048E2FB08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F0048E2FB1Ah 0x0000001f cmp al, al 0x00000021 pop ecx 0x00000022 test ch, ch 0x00000024 add edi, edx 0x00000026 test ah, 00000072h 0x00000029 dec ecx 0x0000002a cmp bl, cl 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007F0048E2FACCh 0x00000031 test cl, dl 0x00000033 push ecx 0x00000034 test bl, dl 0x00000036 call 00007F0048E2FB5Eh 0x0000003b call 00007F0048E2FB18h 0x00000040 lfence 0x00000043 mov edx, dword ptr [7FFE0014h] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E3418 second address: 00000000002E3438 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp al, dl 0x0000000d xor edi, edi 0x0000000f test al, cl 0x00000011 mov ecx, 000186A0h 0x00000016 test ax, dx 0x00000019 cmp edx, F977E25Ah 0x0000001f pushad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E3438 second address: 00000000002E3591 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp ebx, edx 0x0000000c jmp 00007F0048E2FB1Ah 0x0000000e test al, 9Dh 0x00000010 push ecx 0x00000011 cmp eax, ebx 0x00000013 test ch, FFFFFFE9h 0x00000016 call 00007F0048E2FBCBh 0x0000001b call 00007F0048E2FB5Dh 0x00000020 lfence 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E3591 second address: 00000000002E3591 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F0048FFE9D4h 0x0000001d popad 0x0000001e call 00007F0048FFBD95h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E0696 second address: 00000000002E0696 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E673B second address: 00000000002E673B instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E40C0 second address: 00000000002E40C0 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E7464 second address: 00000000002E7464 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E76B5 second address: 00000000002E76B5 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000303418 second address: 0000000000303591 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp al, dl 0x0000000d xor edi, edi 0x0000000f test al, cl 0x00000011 mov ecx, 000186A0h 0x00000016 test ax, dx 0x00000019 cmp edx, F977E25Ah 0x0000001f pushad 0x00000020 nop 0x00000021 nop 0x00000022 mov eax, 00000001h 0x00000027 cpuid 0x00000029 popad 0x0000002a cmp ebx, edx 0x0000002c jmp 00007F0048FFBD6Ah 0x0000002e test al, 9Dh 0x00000030 push ecx 0x00000031 cmp eax, ebx 0x00000033 test ch, FFFFFFE9h 0x00000036 call 00007F0048FFBE1Bh 0x0000003b call 00007F0048FFBDADh 0x00000040 lfence 0x00000043 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000303591 second address: 0000000000303591 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F0048E32784h 0x0000001d popad 0x0000001e call 00007F0048E2FB45h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000301A80 second address: 0000000000301A80 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Code function: 0_2_004095BA rdtsc

0_2_004095BA

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Window / User API: threadDelayed 375	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Window / User API: threadDelayed 9625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 9636	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2564	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2100	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2100	Thread sleep time: -120000s >= -30000s	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: RegAsm.exe, 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Code function: 0_2_004095BA rdtsc

0_2_004095BA

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00303A7B LdrInitializeThunk,

2_2_00303A7B

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00303160 mov eax, dword ptr fs:[00000030h]	2_2_00303160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00303162 mov eax, dword ptr fs:[00000030h]	2_2_00303162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003055B8 mov eax, dword ptr fs:[00000030h]	2_2_003055B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003055BA mov eax, dword ptr fs:[00000030h]	2_2_003055BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003055DF mov eax, dword ptr fs:[00000030h]	2_2_003055DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00305E5C mov eax, dword ptr fs:[00000030h]	2_2_00305E5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00305E42 mov eax, dword ptr fs:[00000030h]	2_2_00305E42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003066FB mov eax, dword ptr fs:[00000030h]	2_2_003066FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003066D0 mov eax, dword ptr fs:[00000030h]	2_2_003066D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00306722 mov eax, dword ptr fs:[00000030h]	2_2_00306722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003067B4 mov eax, dword ptr fs:[00000030h]	2_2_003067B4

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 300000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.3144842926.0000000001210000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000002.00000002.3144842926.0000000001210000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000002.00000002.3144842926.0000000001210000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000002.00000002.3148623210.000000001E0CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000002.00000002.3148623210.000000001E0CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY

ID:	387921
Product:	CloudBasic
Start time:	17:53:37
Start date:	15.04.2021
Sample:	Zapytanie ofertowe (THERMAR 04152021).exe
Cookbook:	default.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	db9c85fd056d349b140e717463f96af7
SHA1:	35c6ade22bb43f1a540ca038685bc9972cf6bea7
SHA256:	e43b31d2b2446cd82a278f282ac128721a9d8b7718524eab066f5ed7eac40c1e
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report Zapytanie ofertowe (THERMAR 04152021).exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs