Play interactive tour

Edit tour

Analysis Report Zapytanie ofertowe (THERMAR 04152021).exe

Overview

General Information

Sample Name:	Zapytanie ofertowe (THERMAR 04152021).exe
Analysis ID:	387921
MD5:	db9c85fd056d349b140e717463f96af7
SHA1:	35c6ade22bb43f1a540ca038685bc9972cf6bea7
SHA256:	e43b31d2b2446cd82a278f282ac128721a9d8b7718524eab066f5ed7eac40c1e
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for submitted file

Sigma detected: RegAsm connects to smtp port

Yara detected AgentTesla

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w7x64

Zapytanie ofertowe (THERMAR 04152021).exe (PID: 2404 cmdline: 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe' MD5: DB9C85FD056D349B140E717463F96AF7)

RegAsm.exe (PID: 2028 cmdline: 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe' MD5: ADF76F395D5A0ECBBF005390B73C3FD2)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1BF_RKNN40fiNL_rA9Ky9I27K_BuXgL1x", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Threatname: Agenttesla

{"Username: ": "vItWU", "URL: ": "https://H59hPIoLS2g1MK.net", "To: ": "barbosabronx@yandex.com", "ByHost: ": "mail.aepa.ws:587", "Password: ": "c5h9ISinvw", "From: ": "info@aepa.ws"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000002.00000002.3148623210.000000001E0CE000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2028	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 2028	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2028	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 2 entries

Sigma Overview

System Summary:

Sigma detected: RegAsm connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 185.127.128.20, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 2028, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1BF_RKNN40fiNL_rA9Ky9I27K_BuXgL1x", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
Source: RegAsm.exe.2028.2.memstr	Malware Configuration Extractor: Agenttesla {"Username: ": "vItWU", "URL: ": "https://H59hPIoLS2g1MK.net", "To: ": "barbosabronx@yandex.com", "ByHost: ": "mail.aepa.ws:587", "Password: ": "c5h9ISinvw", "From: ": "info@aepa.ws"}

Multi AV Scanner detection for submitted file

Show sources

Source: Zapytanie ofertowe (THERMAR 04152021).exe	Virustotal: Detection: 16%			Perma Link
Source: Zapytanie ofertowe (THERMAR 04152021).exe	ReversingLabs: Detection: 14%

Machine Learning detection for sample

Show sources

Source: Zapytanie ofertowe (THERMAR 04152021).exe

Joe Sandbox ML: detected

Source: Zapytanie ofertowe (THERMAR 04152021).exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 216.58.214.225:443 -> 192.168.2.22:49166 version: TLS 1.2

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: https://drive.google.com/uc?export=download&id=1BF_RKNN40fiNL_rA9Ky9I27K_BuXgL1x
Source: Malware configuration extractor	URLs: https://H59hPIoLS2g1MK.net

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 185.127.128.20:587

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 185.127.128.20:587

Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com3 equals www.linkedin.com (Linkedin)
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: doc-00-74-docs.googleusercontent.com

Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	String found in binary or memory: http://HCWjJU.com
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: RegAsm.exe, 00000002.00000002.3148699743.000000001E16A000.00000004.00000001.sdmp	String found in binary or memory: http://aepa.ws
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegAsm.exe, 00000002.00000002.3144625845.0000000000855000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RegAsm.exe, 00000002.00000002.3148146381.000000001D650000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe, 00000002.00000002.3148291480.000000001D71B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: RegAsm.exe, 00000002.00000002.3148233406.000000001D6A6000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 00000002.00000002.3148233406.000000001D6A6000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000002.00000002.3148291480.000000001D71B000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f07397a481be1
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: RegAsm.exe, 00000002.00000002.3148699743.000000001E16A000.00000004.00000001.sdmp	String found in binary or memory: http://mail.aepa.ws
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: RegAsm.exe, 00000002.00000002.3148146381.000000001D650000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: RegAsm.exe, 00000002.00000002.3144872150.0000000002610000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: RegAsm.exe, 00000002.00000002.3149408902.0000000021550000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: RegAsm.exe, 00000002.00000002.3144872150.0000000002610000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.a-cert.at0E
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certifikat.dk/repository0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: RegAsm.exe, 00000002.00000002.3149242845.0000000020D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.crc.bg0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.firmaprofesional.com0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp	String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.com/1
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: RegAsm.exe, 00000002.00000002.3148657676.000000001E11E000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.3148731419.000000001E194000.00000004.00000001.sdmp	String found in binary or memory: https://H59hPIoLS2g1MK.net
Source: RegAsm.exe, 00000002.00000002.3148657676.000000001E11E000.00000004.00000001.sdmp	String found in binary or memory: https://H59hPIoLS2g1MK.netLX
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000002.00000002.3144572077.00000000007D9000.00000004.00000020.sdmp	String found in binary or memory: https://doc-00-74-docs.googleusercontent.com/GG
Source: RegAsm.exe, 00000002.00000002.3144636278.0000000000869000.00000004.00000020.sdmp	String found in binary or memory: https://doc-00-74-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/1c5gv62u
Source: RegAsm.exe, 00000002.00000002.3144572077.00000000007D9000.00000004.00000020.sdmp	String found in binary or memory: https://doc-00-74-docs.googleusercontent.com/tG
Source: RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe	String found in binary or memory: https://drive.google.com/uc?export=download&id=1BF_RKNN40fiNL_rA9Ky9I27K_BuXgL1x
Source: RegAsm.exe, 00000002.00000002.3148146381.000000001D650000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 216.58.214.225:443 -> 192.168.2.22:49166 version: TLS 1.2

System Summary:

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process Stats: CPU usage > 98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00306D48 NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307278 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307427 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307400 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307470 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030744B NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307492 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003074DE NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00306D11 NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307504 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307579 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307553 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003075AA NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003075E7 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003075CA NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307621 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307603 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307662 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003072AF NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307290 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307680 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003072F3 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003072D2 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307336 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307313 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030737A NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307355 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00307399 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003073DF NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003073C3 NtQueryInformationProcess,

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_004095BA
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409CD1
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040989A
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040A159
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409D62
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040996B
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040A119
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409924
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040A1F2
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409E40
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409E7F
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409A01
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409637
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00410EC8
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409685
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040A288
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409F0D
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409711
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409FA0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00409BAB
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_004097AF
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_002E0156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F9050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006FEE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F5C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F0168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006FC7E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F9620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F2CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F3F78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F834D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F2D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_006F25D0

Source: Zapytanie ofertowe (THERMAR 04152021).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Zapytanie ofertowe (THERMAR 04152021).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Zapytanie ofertowe (THERMAR 04152021).exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@7/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\KTDIPTU6.txt

Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

File created: C:\Users\user\AppData\Local\Temp\~DF0A81196D88116507.TMP

Jump to behavior

Source: Zapytanie ofertowe (THERMAR 04152021).exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Zapytanie ofertowe (THERMAR 04152021).exe	Virustotal: Detection: 16%
Source: Zapytanie ofertowe (THERMAR 04152021).exe	ReversingLabs: Detection: 14%

Source: unknown	Process created: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY

Source: Zapytanie ofertowe (THERMAR 04152021).exe

Static PE information: real checksum: 0x20705 should be: 0x2309f

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040C87D pushad ; ret
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_0040C1C5 push 7600FFCEh; iretd
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_00403191 pushad ; iretd
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_004082EC push edi; ret
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_004056FA push FFFFFFB0h; ret
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_002E0052 push edx; ret
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_002E4852 push cs; ret
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_002E5699 push ds; ret
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Code function: 0_2_002E0100 push 944EEDE5h; retf

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Show sources

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (71).png

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00303BC7 InternetOpenA,InternetOpenUrlA,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030283F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030287C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003028D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030291A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00302961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003029A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00302594 CredGetTargetInfoW,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003029F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00302A2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030620B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00302A77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00303E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00303E82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003066FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00302F2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003027AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0030278C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003027EE

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E060F second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cl, dl 0x0000000c call 00007F0048FFEB15h 0x00000011 test ax, 00008F5Ah 0x00000015 call 00007F0048FFBC1Eh 0x0000001a jmp 00007F0048FFBD6Ah 0x0000001c test edx, D54F987Eh 0x00000022 xor edi, edi 0x00000024 test bx, bx 0x00000027 mov ecx, 00A95F60h 0x0000002c cmp dl, dl 0x0000002e test dh, bh 0x00000030 test cl, dl 0x00000032 push ecx 0x00000033 test bl, dl 0x00000035 call 00007F0048FFBDAEh 0x0000003a call 00007F0048FFBD68h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E334B second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0048E2FB08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F0048E2FB1Ah 0x0000001f cmp al, al 0x00000021 pop ecx 0x00000022 test ch, ch 0x00000024 add edi, edx 0x00000026 test ah, 00000072h 0x00000029 dec ecx 0x0000002a cmp bl, cl 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007F0048E2FACCh 0x00000031 test cl, dl 0x00000033 push ecx 0x00000034 test bl, dl 0x00000036 call 00007F0048E2FB5Eh 0x0000003b call 00007F0048E2FB18h 0x00000040 lfence 0x00000043 mov edx, dword ptr [7FFE0014h] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E3438 second address: 00000000002E3591 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp ebx, edx 0x0000000c jmp 00007F0048E2FB1Ah 0x0000000e test al, 9Dh 0x00000010 push ecx 0x00000011 cmp eax, ebx 0x00000013 test ch, FFFFFFE9h 0x00000016 call 00007F0048E2FBCBh 0x0000001b call 00007F0048E2FB5Dh 0x00000020 lfence 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E0696 second address: 00000000002E0696 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E673B second address: 00000000002E673B instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E40C0 second address: 00000000002E40C0 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E7464 second address: 00000000002E7464 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E76B5 second address: 00000000002E76B5 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000301A80 second address: 0000000000301A80 instructions:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe, 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E060F second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cl, dl 0x0000000c call 00007F0048FFEB15h 0x00000011 test ax, 00008F5Ah 0x00000015 call 00007F0048FFBC1Eh 0x0000001a jmp 00007F0048FFBD6Ah 0x0000001c test edx, D54F987Eh 0x00000022 xor edi, edi 0x00000024 test bx, bx 0x00000027 mov ecx, 00A95F60h 0x0000002c cmp dl, dl 0x0000002e test dh, bh 0x00000030 test cl, dl 0x00000032 push ecx 0x00000033 test bl, dl 0x00000035 call 00007F0048FFBDAEh 0x0000003a call 00007F0048FFBD68h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E334B second address: 00000000002E334B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0048E2FB08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F0048E2FB1Ah 0x0000001f cmp al, al 0x00000021 pop ecx 0x00000022 test ch, ch 0x00000024 add edi, edx 0x00000026 test ah, 00000072h 0x00000029 dec ecx 0x0000002a cmp bl, cl 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007F0048E2FACCh 0x00000031 test cl, dl 0x00000033 push ecx 0x00000034 test bl, dl 0x00000036 call 00007F0048E2FB5Eh 0x0000003b call 00007F0048E2FB18h 0x00000040 lfence 0x00000043 mov edx, dword ptr [7FFE0014h] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E3418 second address: 00000000002E3438 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp al, dl 0x0000000d xor edi, edi 0x0000000f test al, cl 0x00000011 mov ecx, 000186A0h 0x00000016 test ax, dx 0x00000019 cmp edx, F977E25Ah 0x0000001f pushad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E3438 second address: 00000000002E3591 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp ebx, edx 0x0000000c jmp 00007F0048E2FB1Ah 0x0000000e test al, 9Dh 0x00000010 push ecx 0x00000011 cmp eax, ebx 0x00000013 test ch, FFFFFFE9h 0x00000016 call 00007F0048E2FBCBh 0x0000001b call 00007F0048E2FB5Dh 0x00000020 lfence 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E3591 second address: 00000000002E3591 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F0048FFE9D4h 0x0000001d popad 0x0000001e call 00007F0048FFBD95h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E0696 second address: 00000000002E0696 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E673B second address: 00000000002E673B instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E40C0 second address: 00000000002E40C0 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E7464 second address: 00000000002E7464 instructions:
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	RDTSC instruction interceptor: First address: 00000000002E76B5 second address: 00000000002E76B5 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000303418 second address: 0000000000303591 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp al, dl 0x0000000d xor edi, edi 0x0000000f test al, cl 0x00000011 mov ecx, 000186A0h 0x00000016 test ax, dx 0x00000019 cmp edx, F977E25Ah 0x0000001f pushad 0x00000020 nop 0x00000021 nop 0x00000022 mov eax, 00000001h 0x00000027 cpuid 0x00000029 popad 0x0000002a cmp ebx, edx 0x0000002c jmp 00007F0048FFBD6Ah 0x0000002e test al, 9Dh 0x00000030 push ecx 0x00000031 cmp eax, ebx 0x00000033 test ch, FFFFFFE9h 0x00000036 call 00007F0048FFBE1Bh 0x0000003b call 00007F0048FFBDADh 0x00000040 lfence 0x00000043 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000303591 second address: 0000000000303591 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F0048E32784h 0x0000001d popad 0x0000001e call 00007F0048E2FB45h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000301A80 second address: 0000000000301A80 instructions:

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Code function: 0_2_004095BA rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Window / User API: threadDelayed 375
Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Window / User API: threadDelayed 9625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 9636

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2564	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2100	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2100	Thread sleep time: -120000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 30000

Source: RegAsm.exe, 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Code function: 0_2_004095BA rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00303A7B LdrInitializeThunk,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00303160 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00303162 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003055B8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003055BA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003055DF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00305E5C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00305E42 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003066FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003066D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00306722 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_003067B4 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 300000

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'

Source: RegAsm.exe, 00000002.00000002.3144842926.0000000001210000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000002.00000002.3144842926.0000000001210000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000002.00000002.3144842926.0000000001210000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Source: C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.3148623210.000000001E0CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini

Source: Yara match	File source: 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.3148623210.000000001E0CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2028, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection112	Masquerading11	OS Credential Dumping2	Security Software Discovery731	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion341	Security Account Manager	Virtualization/Sandbox Evasion341	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol112	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery413	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
Zapytanie ofertowe (THERMAR 04152021).exe	16%	Virustotal	Browse
Zapytanie ofertowe (THERMAR 04152021).exe	15%	ReversingLabs
Zapytanie ofertowe (THERMAR 04152021).exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
aepa.ws	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://www.a-cert.at0E	0%	URL Reputation	safe
http://www.a-cert.at0E	0%	URL Reputation	safe
http://www.a-cert.at0E	0%	URL Reputation	safe
http://www.a-cert.at0E	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	0%	URL Reputation	safe
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	0%	URL Reputation	safe
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	0%	URL Reputation	safe
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0	0%	URL Reputation	safe
http://www.certifikat.dk/repository0	0%	URL Reputation	safe
http://www.certifikat.dk/repository0	0%	URL Reputation	safe
http://www.certifikat.dk/repository0	0%	URL Reputation	safe
http://www.certifikat.dk/repository0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0	0%	URL Reputation	safe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0	0%	URL Reputation	safe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0	0%	URL Reputation	safe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://repository.infonotary.com/cps/qcps.html0$	0%	URL Reputation	safe
http://repository.infonotary.com/cps/qcps.html0$	0%	URL Reputation	safe
http://repository.infonotary.com/cps/qcps.html0$	0%	URL Reputation	safe
http://repository.infonotary.com/cps/qcps.html0$	0%	URL Reputation	safe
http://www.post.trust.ie/reposit/cps.html0	0%	URL Reputation	safe
http://www.post.trust.ie/reposit/cps.html0	0%	URL Reputation	safe
http://www.post.trust.ie/reposit/cps.html0	0%	URL Reputation	safe
http://www.post.trust.ie/reposit/cps.html0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://ocsp.infonotary.com/responder.cgi0V	0%	URL Reputation	safe
http://ocsp.infonotary.com/responder.cgi0V	0%	URL Reputation	safe
http://ocsp.infonotary.com/responder.cgi0V	0%	URL Reputation	safe
http://ocsp.infonotary.com/responder.cgi0V	0%	URL Reputation	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.certicamara.com0	0%	URL Reputation	safe
http://www.certicamara.com0	0%	URL Reputation	safe
http://www.certicamara.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
aepa.ws	185.127.128.20	true	true	0%, Virustotal, Browse	unknown
googlehosted.l.googleusercontent.com	216.58.214.225	true	false		high
doc-00-74-docs.googleusercontent.com	unknown	unknown	false		high
mail.aepa.ws	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://H59hPIoLS2g1MK.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.a-cert.at0E	RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.e-me.lv/repository0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.acabogacia.org/doc0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0	RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certifikat.dk/repository0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.chambersign.org1	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://doc-00-74-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/1c5gv62u	RegAsm.exe, 00000002.00000002.3144636278.0000000000869000.00000004.00000020.sdmp	false		high
http://www.diginotar.nl/cps/pkioverheid0	RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.swisssign.com/0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false		high
http://crl.ssc.lt/root-c/cacrl.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.infonotary.com/cps/qcps.html0$	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.post.trust.ie/reposit/cps.html0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certplus.com/CRL/class2.crl0	RegAsm.exe, 00000002.00000002.3149242845.0000000020D04000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.disig.sk/ca/crl/ca_disig.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/GTS1O1core.crl0	RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.infonotary.com/responder.cgi0V	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sk.ee/cps/0	RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certicamara.com0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.globaltrust.info0=	RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://servername/isapibackend.dll	RegAsm.exe, 00000002.00000002.3149408902.0000000021550000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.ssc.lt/cps03	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.windows.com/pctv.	Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	false		high
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=	RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.gva.es0	RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.oces.certifikat.dk/oces.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certicamara.com/dpc/0Z	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false		high
http://crl.pki.wellsfargo.com/wsprca.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false		high
http://www.dnie.es/dpc0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.rootca.or.kr/rca/cps.html0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	RegAsm.exe, 00000002.00000002.3144555692.00000000007BD000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.trustcenter.de/guidelines0	RegAsm.exe, 00000002.00000002.3144581830.00000000007E7000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.globaltrust.info0	RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	RegAsm.exe, 00000002.00000002.3148146381.000000001D650000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://certificates.starfieldtech.com/repository/1604	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false		high
http://www.certplus.com/CRL/class3TS.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.entrust.net/CRL/Client1.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	RegAsm.exe, 00000002.00000002.3144872150.0000000002610000.00000002.00000001.sdmp	false		high
https://www.catcert.net/verarrel	RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.disig.sk/ca0f	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.e-szigno.hu/RootCA.crl	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false		high
http://www.signatur.rtr.at/current.crl0	RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	false		high
http://www.sk.ee/juur/crl/0	RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.chambersign.org/chambersignroot.crl0	RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.ssc.lt/root-a/cacrl.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mail.aepa.ws	RegAsm.exe, 00000002.00000002.3148699743.000000001E16A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.trustdst.com/certificates/policy/ACES-index.html0	RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.firmaprofesional.com0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	RegAsm.exe, 00000002.00000002.3148146381.000000001D650000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.netlock.net/docs	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://doc-00-74-docs.googleusercontent.com/tG	RegAsm.exe, 00000002.00000002.3144572077.00000000007D9000.00000004.00000020.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	false		high
http://aepa.ws	RegAsm.exe, 00000002.00000002.3148699743.000000001E16A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false		high
http://cps.chambersign.org/cps/publicnotaryroot.html0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.e-trust.be/CPS/QNcerts	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certicamara.com/certicamaraca.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	false		high
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	RegAsm.exe, 00000002.00000002.3149227523.0000000020CF2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fedir.comsign.co.il/crl/ComSignCA.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net03	RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.chambersign.org/cps/chambersroot.html0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.acabogacia.org0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ca.sia.it/seccli/repository/CPS0	RegAsm.exe, 00000002.00000002.3149182570.0000000020CA0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.securetrust.com/SGCA.crl0	RegAsm.exe, 00000002.00000002.3148291480.000000001D71B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.securetrust.com/STCA.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954783486.0000000003647000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://H59hPIoLS2g1MK.netLX	RegAsm.exe, 00000002.00000002.3148657676.000000001E11E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certicamara.com/certicamaraca.crl0;	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false		high
http://www.e-szigno.hu/RootCA.crt0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false		high
http://www.quovadisglobal.com/cps0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false		high
http://investor.msn.com/	Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	false		high
http://www.valicert.com/1	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.e-szigno.hu/SZSZ/0	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false		high
http://www.%s.comPA	RegAsm.exe, 00000002.00000002.3144872150.0000000002610000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0	RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net0D	RegAsm.exe, 00000002.00000002.3144609967.0000000000830000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.chambersign.org/cps/chambersignroot.html0	RegAsm.exe, 00000002.00000002.3149271873.0000000020D32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ca.sia.it/secsrv/repository/CRL.der0J	RegAsm.exe, 00000002.00000002.3149202068.0000000020CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com	Zapytanie ofertowe (THERMAR 04152021).exe, 00000000.00000002.2954465812.0000000003460000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.58.214.225	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false
185.127.128.20	aepa.ws	Spain		13287	NIXVALIP-ASNIXVALDatacenterES	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	387921
Start date:	15.04.2021
Start time:	17:53:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 32s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Zapytanie ofertowe (THERMAR 04152021).exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@7/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 64.4% (good quality ratio 30.3%) Quality average: 24.1% Quality standard deviation: 28.5%
HCA Information:	Successful, ratio: 76% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, WmiPrvSE.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 216.58.214.238, 93.184.221.240, 2.20.143.16, 2.20.142.210 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, drive.google.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, wu.azureedge.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:00:49	API Interceptor	205x Sleep call for process: Zapytanie ofertowe (THERMAR 04152021).exe modified
18:01:20	API Interceptor	1263x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.127.128.20	PUNKTSTREJKER.exe	Get hash	malicious	Browse
185.127.128.20	Humorens.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NIXVALIP-ASNIXVALDatacenterES	PUNKTSTREJKER.exe	Get hash	malicious	Browse	185.127.128.20
	20210111 Virginie.exe	Get hash	malicious	Browse	185.127.128.91
	Humorens.exe	Get hash	malicious	Browse	185.127.128.20

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	catalog-1482570486.xlsm	Get hash	malicious	Browse	216.58.214.225
	catalog-1134436431.xlsm	Get hash	malicious	Browse	216.58.214.225
	catalog-138717734.xlsm	Get hash	malicious	Browse	216.58.214.225
	PO -28001 X67533AB.ppt	Get hash	malicious	Browse	216.58.214.225
	dridex.xlsm	Get hash	malicious	Browse	216.58.214.225
	payment _tdetails.pps	Get hash	malicious	Browse	216.58.214.225
	payment _tdetails.pps	Get hash	malicious	Browse	216.58.214.225
	Payment Advice.xlsx	Get hash	malicious	Browse	216.58.214.225
	RFQ P39948220.ppt	Get hash	malicious	Browse	216.58.214.225
	payment _tdetails.pps	Get hash	malicious	Browse	216.58.214.225
	payment _tdetails.pps	Get hash	malicious	Browse	216.58.214.225
	LC document -Ref.docx	Get hash	malicious	Browse	216.58.214.225
	LC document -Ref.docx	Get hash	malicious	Browse	216.58.214.225
	presupuesto.xlsx	Get hash	malicious	Browse	216.58.214.225
	Order 100920-0087.pps	Get hash	malicious	Browse	216.58.214.225
	Shipping-Documents.xlsx	Get hash	malicious	Browse	216.58.214.225
	shipping documents. CI PL.xlsx	Get hash	malicious	Browse	216.58.214.225
	Original Invoice-COAU7229898130.xlsx	Get hash	malicious	Browse	216.58.214.225
	NEW ORDER.xlsx	Get hash	malicious	Browse	216.58.214.225
	swift note.xlsx	Get hash	malicious	Browse	216.58.214.225

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\KTDIPTU6.txt Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	239
Entropy (8bit):	5.7057371778041945
Encrypted:	false
SSDEEP:	6:sPFqNgNStfsWoljg3vc2fTS/SXbWQ0ZUrZOkX:sYyAEq9u/SXbWQ0qrw4
MD5:	306B0C7AB15D88CA94611A66C9E200BC
SHA1:	7F0089EE6B75566CF09F75EEB57BF5F0056B551A
SHA-256:	69E70E0219368D64CDF32EAE68C0C4B2B3F0B67DA1C8C10E44BDE8B8005B633A
SHA-512:	BAE6470595AF9E3723F57370B49601F206B01A2A69568F90559434787A7AEA8FCFE4E6AC766331C69FB512F0E8F23751625DED17841BFF0A1CC5499A4EA54A05
Malicious:	false
Reputation:	low
IE Cache URL:	google.com/
Preview:	NID.213=X1FbwnB20Rh_kGifh_BD5UdBNm7DcuUHW3n_kID4VzUx8KQde9sMUFWjziyQplZJzmgwmnRcD7kTmkb_C4u3u6S1C4JbrEiIwnkCuZoWLQonbsbBD80hZRboza2PdH9WmZ766W3ARsBhvQkRZT92EFe9e6oWHVzMaa-Jpf_wFRE.google.com/.9217.3747347840.30917085.3063616447.30880348.*.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.75801746680285
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Zapytanie ofertowe (THERMAR 04152021).exe
File size:	118784
MD5:	db9c85fd056d349b140e717463f96af7
SHA1:	35c6ade22bb43f1a540ca038685bc9972cf6bea7
SHA256:	e43b31d2b2446cd82a278f282ac128721a9d8b7718524eab066f5ed7eac40c1e
SHA512:	0f8ed5531be1f57bcaf4370af63182218e9fd8e0750520719400829e315762b7078cd5bc31368e77e10f7fb44b943dc90dbd3fc67bddfc509163e685db25f33e
SSDEEP:	1536:dGMHX05foJhq45BLUaYuhyWGG5xtqJ+oIhEXr4Ixbp/xfnZtVuqltL:MMHX05fihrhGG0t
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......S.................p...`......h.............@................

File Icon


Icon Hash:	c0c6f2e0e4fefe3f

Static PE Info

General
Entrypoint:	0x401968
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x531EE68F [Tue Mar 11 10:33:51 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7677b40f5f8927412a58af017314f1ed

Entrypoint Preview

Instruction
push 0040F4F0h
call 00007F0048C89D63h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, dh
ret
xchg eax, ebp
sbb al, 77h
cmp byte ptr [eax+44C5AC45h], FFFFFF88h
sbb dword ptr [ecx+0000624Bh], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc esi
inc ecx
inc edx
push edx
dec ecx
dec ebx
push ebx
inc edx
inc ebp
push esi
inc edi
inc ebp
dec esp
push ebx
inc ebp
dec esi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or al, 03h
lodsd
imul esi, dword ptr [esi], 98h
mov ah, 89h
inc ebp
test eax, 8C94C334h
mov ah, DCh
mov dl, bh
or al, 4Bh
and al, 4Eh
bound esp, dword ptr [eax]
inc ebx
mov bh, BAh
fldcw word ptr [ecx-41F2A5C7h]
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
lds ebx, ecx
add byte ptr [eax], al
rcl edi, cl
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [ebx+61h], al
jnc 00007F0048C89DD4h
popad
push 010D0034h
adc dword ptr [eax], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x176d4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x3822	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1a8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16cb8	0x17000	False	0.452275815217	data	6.1434637359	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x18000	0x1260	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1a000	0x3822	0x4000	False	0.462036132812	data	5.14332580962	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1cf7a	0x8a8	data
RT_ICON	0x1c8b2	0x6c8	data
RT_ICON	0x1c34a	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x1b2a2	0x10a8	data
RT_ICON	0x1a91a	0x988	data
RT_ICON	0x1a4b2	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1a458	0x5a	data
RT_VERSION	0x1a1e0	0x278	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, __vbaFPInt, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	GALDEBR
FileVersion	1.00
CompanyName	Cluster-C
Comments	Cluster-C
ProductName	Cluster-C
ProductVersion	1.00
FileDescription	Cluster-C
OriginalFilename	GALDEBR.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2021 18:01:12.212256908 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.264131069 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.265568972 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.267456055 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.321011066 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.342972994 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.343009949 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.343050957 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.343089104 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.343179941 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.343230009 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.360383987 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.412508011 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.412708998 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.464942932 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.522010088 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.731431961 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.731473923 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.731501102 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.731508970 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.731532097 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.731626987 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.732355118 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.733809948 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.733895063 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.733922005 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.733952045 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.737828970 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.737862110 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.737991095 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.741806030 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.741832018 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.741959095 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.749556065 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.749583006 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.749783039 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.752372026 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.752398014 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.752569914 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.785125971 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.785361052 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.785164118 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.785926104 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.788640022 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.788700104 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.788830042 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.790923119 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.790952921 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.791068077 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.794948101 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.794986963 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.795150042 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.800987959 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.801026106 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.801197052 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.802383900 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.802417040 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.802510977 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.806937933 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.806982994 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.807116985 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.810208082 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.810255051 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.810425997 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.815879107 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.815922976 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.816093922 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.817642927 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.817677975 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.817797899 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.822451115 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.822487116 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.822679996 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.824371099 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.824410915 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.824539900 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.828536987 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.828566074 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.828712940 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.831448078 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.831476927 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.831545115 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.834703922 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.834737062 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.834789038 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.834806919 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.838165045 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.838191986 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.838254929 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.838283062 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.841104984 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.841128111 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.841216087 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.843889952 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.843913078 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.843995094 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.846364021 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.846389055 CEST	443	49166	216.58.214.225	192.168.2.22
Apr 15, 2021 18:01:12.846508026 CEST	49166	443	192.168.2.22	216.58.214.225
Apr 15, 2021 18:01:12.848859072 CEST	443	49166	216.58.214.225	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2021 18:01:10.734416962 CEST	52197	53	192.168.2.22	8.8.8.8
Apr 15, 2021 18:01:10.804838896 CEST	53	52197	8.8.8.8	192.168.2.22
Apr 15, 2021 18:01:10.805563927 CEST	52197	53	192.168.2.22	8.8.8.8
Apr 15, 2021 18:01:10.867307901 CEST	53	52197	8.8.8.8	192.168.2.22
Apr 15, 2021 18:01:12.142263889 CEST	53099	53	192.168.2.22	8.8.8.8
Apr 15, 2021 18:01:12.207240105 CEST	53	53099	8.8.8.8	192.168.2.22
Apr 15, 2021 18:02:42.101356030 CEST	52838	53	192.168.2.22	8.8.8.8
Apr 15, 2021 18:02:42.326306105 CEST	53	52838	8.8.8.8	192.168.2.22
Apr 15, 2021 18:02:42.327224016 CEST	52838	53	192.168.2.22	8.8.8.8
Apr 15, 2021 18:02:42.575835943 CEST	53	52838	8.8.8.8	192.168.2.22
Apr 15, 2021 18:02:42.576613903 CEST	52838	53	192.168.2.22	8.8.8.8
Apr 15, 2021 18:02:42.786523104 CEST	53	52838	8.8.8.8	192.168.2.22
Apr 15, 2021 18:02:42.786982059 CEST	52838	53	192.168.2.22	8.8.8.8
Apr 15, 2021 18:02:42.846781015 CEST	53	52838	8.8.8.8	192.168.2.22
Apr 15, 2021 18:02:42.889276028 CEST	61200	53	192.168.2.22	8.8.8.8
Apr 15, 2021 18:02:42.946216106 CEST	53	61200	8.8.8.8	192.168.2.22
Apr 15, 2021 18:02:42.946795940 CEST	61200	53	192.168.2.22	8.8.8.8
Apr 15, 2021 18:02:43.004003048 CEST	53	61200	8.8.8.8	192.168.2.22
Apr 15, 2021 18:02:43.908097982 CEST	49548	53	192.168.2.22	8.8.8.8
Apr 15, 2021 18:02:43.960939884 CEST	53	49548	8.8.8.8	192.168.2.22
Apr 15, 2021 18:02:43.969772100 CEST	55627	53	192.168.2.22	8.8.8.8
Apr 15, 2021 18:02:44.019891024 CEST	53	55627	8.8.8.8	192.168.2.22
Apr 15, 2021 18:02:44.020473003 CEST	55627	53	192.168.2.22	8.8.8.8
Apr 15, 2021 18:02:44.080375910 CEST	53	55627	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 15, 2021 18:01:12.142263889 CEST	192.168.2.22	8.8.8.8	0x1df6	Standard query (0)	doc-00-74-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Apr 15, 2021 18:02:42.101356030 CEST	192.168.2.22	8.8.8.8	0x96d8	Standard query (0)	mail.aepa.ws	A (IP address)	IN (0x0001)
Apr 15, 2021 18:02:42.327224016 CEST	192.168.2.22	8.8.8.8	0x96d8	Standard query (0)	mail.aepa.ws	A (IP address)	IN (0x0001)
Apr 15, 2021 18:02:42.576613903 CEST	192.168.2.22	8.8.8.8	0x96d8	Standard query (0)	mail.aepa.ws	A (IP address)	IN (0x0001)
Apr 15, 2021 18:02:42.786982059 CEST	192.168.2.22	8.8.8.8	0x96d8	Standard query (0)	mail.aepa.ws	A (IP address)	IN (0x0001)
Apr 15, 2021 18:02:42.889276028 CEST	192.168.2.22	8.8.8.8	0xded2	Standard query (0)	mail.aepa.ws	A (IP address)	IN (0x0001)
Apr 15, 2021 18:02:42.946795940 CEST	192.168.2.22	8.8.8.8	0xded2	Standard query (0)	mail.aepa.ws	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 15, 2021 18:01:12.207240105 CEST	8.8.8.8	192.168.2.22	0x1df6	No error (0)	doc-00-74-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 18:01:12.207240105 CEST	8.8.8.8	192.168.2.22	0x1df6	No error (0)	googlehosted.l.googleusercontent.com		216.58.214.225	A (IP address)	IN (0x0001)
Apr 15, 2021 18:02:42.326306105 CEST	8.8.8.8	192.168.2.22	0x96d8	No error (0)	mail.aepa.ws	aepa.ws		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 18:02:42.326306105 CEST	8.8.8.8	192.168.2.22	0x96d8	No error (0)	aepa.ws		185.127.128.20	A (IP address)	IN (0x0001)
Apr 15, 2021 18:02:42.575835943 CEST	8.8.8.8	192.168.2.22	0x96d8	No error (0)	mail.aepa.ws	aepa.ws		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 18:02:42.575835943 CEST	8.8.8.8	192.168.2.22	0x96d8	No error (0)	aepa.ws		185.127.128.20	A (IP address)	IN (0x0001)
Apr 15, 2021 18:02:42.786523104 CEST	8.8.8.8	192.168.2.22	0x96d8	No error (0)	mail.aepa.ws	aepa.ws		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 18:02:42.786523104 CEST	8.8.8.8	192.168.2.22	0x96d8	No error (0)	aepa.ws		185.127.128.20	A (IP address)	IN (0x0001)
Apr 15, 2021 18:02:42.846781015 CEST	8.8.8.8	192.168.2.22	0x96d8	No error (0)	mail.aepa.ws	aepa.ws		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 18:02:42.846781015 CEST	8.8.8.8	192.168.2.22	0x96d8	No error (0)	aepa.ws		185.127.128.20	A (IP address)	IN (0x0001)
Apr 15, 2021 18:02:42.946216106 CEST	8.8.8.8	192.168.2.22	0xded2	No error (0)	mail.aepa.ws	aepa.ws		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 18:02:42.946216106 CEST	8.8.8.8	192.168.2.22	0xded2	No error (0)	aepa.ws		185.127.128.20	A (IP address)	IN (0x0001)
Apr 15, 2021 18:02:43.004003048 CEST	8.8.8.8	192.168.2.22	0xded2	No error (0)	mail.aepa.ws	aepa.ws		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 18:02:43.004003048 CEST	8.8.8.8	192.168.2.22	0xded2	No error (0)	aepa.ws		185.127.128.20	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 15, 2021 18:01:12.343089104 CEST	216.58.214.225	443	192.168.2.22	49166	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Mar 23 09:24:00 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Jun 15 10:23:59 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Apr 15, 2021 18:01:12.343089104 CEST	216.58.214.225	443	192.168.2.22	49166	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		7dcce5b76c8b17472d024758970a406b

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 15, 2021 18:02:43.284737110 CEST	587	49167	185.127.128.20	192.168.2.22	220-vlc4945.hosters.es ESMTP Exim 4.94 #2 Thu, 15 Apr 2021 18:02:43 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 15, 2021 18:02:43.285473108 CEST	49167	587	192.168.2.22	185.127.128.20	EHLO 609290
Apr 15, 2021 18:02:43.349172115 CEST	587	49167	185.127.128.20	192.168.2.22	250-vlc4945.hosters.es Hello 609290 [84.17.52.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-X_PIPE_CONNECT 250-STARTTLS 250 HELP
Apr 15, 2021 18:02:43.349786043 CEST	49167	587	192.168.2.22	185.127.128.20	STARTTLS
Apr 15, 2021 18:02:43.414927959 CEST	587	49167	185.127.128.20	192.168.2.22	220 TLS go ahead

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Zapytanie ofertowe (THERMAR 04152021).exe PID: 2404 Parent PID: 2944

General

Start time:	17:54:29
Start date:	15/04/2021
Path:	C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'
Imagebase:	0x400000
File size:	118784 bytes
MD5 hash:	DB9C85FD056D349B140E717463F96AF7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: RegAsm.exe PID: 2028 Parent PID: 2404

General

Start time:	18:00:49
Start date:	15/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Zapytanie ofertowe (THERMAR 04152021).exe'
Imagebase:	0xe90000
File size:	64672 bytes
MD5 hash:	ADF76F395D5A0ECBBF005390B73C3FD2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000002.00000002.3144347709.0000000000302000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3148623210.000000001E0CE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3148545524.000000001E031000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Zapytanie ofertowe (THERMAR 04152021).exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: GuLoader

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

SMTP Packets