Play interactive tour

Edit tour

Windows Analysis Report Documentos de env#U00edo.exe

Overview

General Information

Sample Name:	Documentos de env#U00edo.exe
Analysis ID:	457991
MD5:	a60166d50572eedc2e44b327e4928324
SHA1:	0b5c5afd46ab950959dc1e5fda5520ddae0c51a4
SHA256:	8a714868cf6bea9d1a01154cc98fa33abbe75350f06cf26d31538ed0aba6a808
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

GuLoader behavior detected

Multi AV Scanner detection for submitted file

Sigma detected: RegAsm connects to smtp port

Yara detected AgentTesla

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Documentos de env#U00edo.exe (PID: 5448 cmdline: 'C:\Users\user\Desktop\Documentos de env#U00edo.exe' MD5: A60166D50572EEDC2E44B327E4928324)

RegAsm.exe (PID: 5088 cmdline: 'C:\Users\user\Desktop\Documentos de env#U00edo.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)

conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5088	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 5088	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Overview

Networking:

Sigma detected: RegAsm connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 78.128.8.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 5088, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49754

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Documentos de env#U00edo.exe

Virustotal: Detection: 20%

Perma Link

Source: Documentos de env#U00edo.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown	HTTPS traffic detected: 216.58.208.174:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.208.129:443 -> 192.168.2.3:49747 version: TLS 1.2

Networking:

Source: global traffic

TCP traffic: 192.168.2.3:49754 -> 78.128.8.31:587

Source: Joe Sandbox View

IP Address: 78.128.8.31 78.128.8.31

Source: Joe Sandbox View

ASN Name: TELEPOINTBG TELEPOINTBG

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

TCP traffic: 192.168.2.3:49754 -> 78.128.8.31:587

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1289517050.000000001DD50000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000003.862518902.00000000012F1000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1289680896.000000001DDC6000.00000004.00000001.sdmp	String found in binary or memory: http://SFk55itrh2ylIByRGIl.net
Source: RegAsm.exe, 00000014.00000003.894284187.0000000000E9A000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp	String found in binary or memory: http://brimaq.com
Source: RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp	String found in binary or memory: http://cWlbEv.com
Source: RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: RegAsm.exe, 00000014.00000003.894284187.0000000000E9A000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: RegAsm.exe, 00000014.00000002.1283640842.000000000125F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000014.00000003.894284187.0000000000E9A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp	String found in binary or memory: http://mail.brimaq.com
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe, 00000014.00000002.1283558110.0000000001240000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsrr
Source: RegAsm.exe, 00000014.00000002.1282624893.0000000000E63000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.l
Source: RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0#
Source: RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: RegAsm.exe, 00000014.00000002.1283789594.00000000012A4000.00000004.00000001.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegAsm.exe, 00000014.00000002.1283789594.00000000012A4000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RegAsm.exe, 00000014.00000002.1282624893.0000000000E63000.00000004.00000001.sdmp	String found in binary or memory: http://x1.kx
Source: RegAsm.exe, 00000014.00000002.1283558110.0000000001240000.00000004.00000020.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp	String found in binary or memory: https://doc-10-00-docs.googleusercontent.com/)
Source: RegAsm.exe, 00000014.00000002.1283558110.0000000001240000.00000004.00000020.sdmp	String found in binary or memory: https://doc-10-00-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/q5t04a04
Source: RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp	String found in binary or memory: https://doc-10-00-docs.googleusercontent.com/g
Source: RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1u3UtP2e9N-KtyQTSuDKByxsCSqIoJWVk
Source: RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1u3UtP2e9N-KtyQTSuDKByxsCSqIoJWVknc
Source: RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1u3UtP2e9N-KtyQTSuDKByxsCSqIoJWVkwininet.dllMozilla/5
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 216.58.208.174:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.208.129:443 -> 192.168.2.3:49747 version: TLS 1.2

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

Code function: 0_2_004028B4 GetAsyncKeyState,

Source: Documentos de env#U00edo.exe, 00000000.00000002.580708415.000000000072A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Documentos de env#U00edo.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Documentos de env#U00edo.exe

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Process Stats: CPU usage > 98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process Stats: CPU usage > 98%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CD2B8E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CD25660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CD26D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDB2D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDB2618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDB1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDBDF68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDBAB70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDBC320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDBEE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDBF7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDF6C84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDF0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDFFA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDF3620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDFC220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDF9368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1D8B47A0

Source: Documentos de env#U00edo.exe, 00000000.00000002.580697666.0000000000710000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Documentos de env#U00edo.exe
Source: Documentos de env#U00edo.exe, 00000000.00000000.203569731.0000000000423000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePROSODETICDEF.exe vs Documentos de env#U00edo.exe
Source: Documentos de env#U00edo.exe	Binary or memory string: OriginalFilenamePROSODETICDEF.exe vs Documentos de env#U00edo.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Source: Documentos de env#U00edo.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@4/1@4/3

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5024:120:WilError_01

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

File created: C:\Users\user\AppData\Local\Temp\~DFB9F937056F61369A.TMP

Jump to behavior

Source: Documentos de env#U00edo.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

File read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Documentos de env#U00edo.exe

Virustotal: Detection: 20%

Source: unknown	Process created: C:\Users\user\Desktop\Documentos de env#U00edo.exe 'C:\Users\user\Desktop\Documentos de env#U00edo.exe'
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Documentos de env#U00edo.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Documentos de env#U00edo.exe'

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 0_2_00409055 push ss; ret
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 0_2_0040B45D push ss; iretd
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 0_2_004090A4 push ss; ret
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 0_2_00406151 push ss; iretd
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 0_2_00407566 push edi; ret
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 0_2_00408D20 push ss; iretd
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 0_2_00409184 push ss; ret
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 0_2_00407E4C push ss; iretd
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 0_2_0040B657 push ebp; ret
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 0_2_0040BE67 push ss; iretd
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 0_2_00409A90 push ss; iretd
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 0_2_0040BEAF push ss; iretd
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 0_2_00409B6A push ss; iretd
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 0_2_022573AB push es; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_00F0B424 push edx; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDB0027 push eax; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1CDB7A37 push edi; retn 0000h
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1D8BB9A1 pushfd ; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 20_2_1D8BBB6F pushfd ; retf

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	RDTSC instruction interceptor: First address: 000000000225916B second address: 000000000225916B instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	RDTSC instruction interceptor: First address: 000000000225AD54 second address: 000000000225AD54 instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	RDTSC instruction interceptor: First address: 00000000022571FE second address: 00000000022571FE instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	RDTSC instruction interceptor: First address: 000000000225441C second address: 000000000225441C instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000F03CA3 second address: 0000000000F03CA3 instructions:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1U3UTP2E9N-KTYQTSUDKBYXSCSQIOJWVKWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: Documentos de env#U00edo.exe, 00000000.00000002.581799628.0000000003C90000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Documentos de env#U00edo.exe, 00000000.00000002.580732268.000000000075E000.00000004.00000020.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE}[@W
Source: Documentos de env#U00edo.exe, 00000000.00000002.580732268.000000000075E000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Documentos de env#U00edo.exe, 00000000.00000002.581799628.0000000003C90000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	RDTSC instruction interceptor: First address: 000000000225916B second address: 000000000225916B instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	RDTSC instruction interceptor: First address: 000000000225AD54 second address: 000000000225AD54 instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	RDTSC instruction interceptor: First address: 000000000225621F second address: 000000000225621F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FA25E20Bh 0x00000013 xor eax, 8D2E0BD9h 0x00000018 xor eax, B706CE67h 0x0000001d add eax, 3FF2D84Ch 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB080D17B53h 0x0000002e popad 0x0000002f call 00007FB080D1489Ch 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	RDTSC instruction interceptor: First address: 00000000022571FE second address: 00000000022571FE instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	RDTSC instruction interceptor: First address: 000000000225441C second address: 000000000225441C instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	RDTSC instruction interceptor: First address: 0000000002254C41 second address: 0000000002254CD8 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add ebx, E4F5C3BBh 0x00000009 xor ebx, F04BE065h 0x0000000f push ebx 0x00000010 mov ebx, dword ptr [ebp+00000269h] 0x00000016 mov dword ptr [ebp+0000027Dh], edi 0x0000001c mov edi, 6EA3B468h 0x00000021 cmp edx, eax 0x00000023 cmp ecx, ecx 0x00000025 xor edi, CF0FEDB9h 0x0000002b xor edi, 3ACEA381h 0x00000031 xor edi, 9B62FA50h 0x00000037 jmp 00007FB080A5394Ah 0x00000039 pushad 0x0000003a mov esi, 0000005Fh 0x0000003f rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000F0621F second address: 0000000000F0621F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FA25E20Bh 0x00000013 xor eax, 8D2E0BD9h 0x00000018 xor eax, B706CE67h 0x0000001d add eax, 3FF2D84Ch 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB080D17B53h 0x0000002e popad 0x0000002f call 00007FB080D1489Ch 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000F03CA3 second address: 0000000000F03CA3 instructions:

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 9469

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5032

Thread sleep time: -15679732462653109s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Source: RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=https://drive.google.com/uc?export=download&id=1u3UtP2e9N-KtyQTSuDKByxsCSqIoJWVkwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: Documentos de env#U00edo.exe, 00000000.00000002.580732268.000000000075E000.00000004.00000020.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe}[@W
Source: Documentos de env#U00edo.exe, 00000000.00000002.581799628.0000000003C90000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll
Source: RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: Documentos de env#U00edo.exe, 00000000.00000002.581799628.0000000003C90000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 00000014.00000002.1283558110.0000000001240000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW}
Source: Documentos de env#U00edo.exe, 00000000.00000002.580732268.000000000075E000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

System information queried: ModuleInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 20_2_1CDF0040 LdrInitializeThunk,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F00000

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Documentos de env#U00edo.exe'

Source: RegAsm.exe, 00000014.00000002.1284217440.0000000001800000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000014.00000002.1284217440.0000000001800000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000014.00000002.1284217440.0000000001800000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000014.00000002.1284217440.0000000001800000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Yara detected AgentTesla

Show sources

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 5088, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5088, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 5088, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Process Injection112	Disable or Modify Tools1	OS Credential Dumping2	Security Software Discovery621	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion341	Input Capture21	Process Discovery2	Remote Desktop Protocol	Input Capture21	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Credentials in Registry1	Virtualization/Sandbox Evasion341	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Application Window Discovery1	Distributed Component Object Model	Data from Local System2	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery315	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Documentos de env#U00edo.exe	21%	Virustotal		Browse
Documentos de env#U00edo.exe	7%	ReversingLabs	Win32.Trojan.Mucc

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
brimaq.com	0%	Virustotal		Browse
mail.brimaq.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://x1.kx	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://r3.i.l	0%	Avira URL Cloud	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://pki.goog/gsrr	0%	Avira URL Cloud	safe
http://brimaq.com	0%	Avira URL Cloud	safe
http://mail.brimaq.com	0%	Avira URL Cloud	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://cWlbEv.com	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://SFk55itrh2ylIByRGIl.net	0%	Avira URL Cloud	safe
http://r3.i.lencr.org/0#	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	216.58.208.174	true	false		high
brimaq.com	78.128.8.31	true	true	0%, Virustotal, Browse	unknown
googlehosted.l.googleusercontent.com	216.58.208.129	true	false		high
doc-10-00-docs.googleusercontent.com	unknown	unknown	false		high
mail.brimaq.com	unknown	unknown	false	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://x1.kx	RegAsm.exe, 00000014.00000002.1282624893.0000000000E63000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNS	RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://cps.letsencrypt.org0	RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://doc-10-00-docs.googleusercontent.com/g	RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp	false		high
https://drive.google.com/	RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp	false		high
http://r3.i.l	RegAsm.exe, 00000014.00000002.1282624893.0000000000E63000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	RegAsm.exe, 00000014.00000002.1283789594.00000000012A4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	RegAsm.exe, 00000014.00000002.1283789594.00000000012A4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://doc-10-00-docs.googleusercontent.com/)	RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp	false		high
https://doc-10-00-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/q5t04a04	RegAsm.exe, 00000014.00000002.1283558110.0000000001240000.00000004.00000020.sdmp	false		high
http://crl.pki.goog/GTS1O1core.crl0	RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://pki.goog/gsrr	RegAsm.exe, 00000014.00000002.1283558110.0000000001240000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://brimaq.com	RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.brimaq.com	RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.o.lencr.org0	RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://cWlbEv.com	RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://pki.goog/repository/0	RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://SFk55itrh2ylIByRGIl.net	RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1289517050.000000001DD50000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000003.862518902.00000000012F1000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1289680896.000000001DDC6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.i.lencr.org/0#	RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://cps.root-x1.letsencrypt.org0	RegAsm.exe, 00000014.00000003.894284187.0000000000E9A000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.208.174	drive.google.com	United States	15169	GOOGLEUS	false
216.58.208.129	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
78.128.8.31	brimaq.com	Bulgaria	31083	TELEPOINTBG	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	457991
Start date:	02.08.2021
Start time:	16:56:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 12s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Documentos de env#U00edo.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@4/1@4/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.5% (good quality ratio 1.8%) Quality average: 18.7% Quality standard deviation: 30.6%
HCA Information:	Successful, ratio: 95% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 40.88.32.150, 13.64.90.137, 20.82.209.183, 23.211.4.86, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.82.210.154, 20.54.110.249, 20.190.160.136, 20.190.160.2, 20.190.160.8, 20.190.160.6, 20.190.160.132, 20.190.160.75, 20.190.160.73, 20.190.160.4, 93.184.220.29, 20.49.150.241, 51.104.136.2, 40.127.240.158 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, www.tm.lg.prod.aadmsa.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, ocsp.digicert.com, login.live.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:00:47	API Interceptor	2043x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
78.128.8.31	Zapytanie ofertowe-ETG4791.exe	Get hash	malicious	Browse
	AWB-18267638920511_Pl.exe	Get hash	malicious	Browse
	PO0621.exe	Get hash	malicious	Browse
	AWB-182676389205111_ES.exe	Get hash	malicious	Browse
	RFxOFFER 373721.exe	Get hash	malicious	Browse
	RFxOFFER 373721.exe	Get hash	malicious	Browse
	#CMA-CMG.exe	Get hash	malicious	Browse
	#CMA-CMB.exe	Get hash	malicious	Browse
	FACTURA 6475.exe	Get hash	malicious	Browse
	AWB-18267638920511_ES.exe	Get hash	malicious	Browse
	FACTURA 6476.exe	Get hash	malicious	Browse
	Zam#U00f3wienie-290421.85655463.exe	Get hash	malicious	Browse
	PZnr10961754.exe	Get hash	malicious	Browse
	Nieprawid#U0142owy IBAN.exe	Get hash	malicious	Browse
	AWB-182676389205111_ES.exe	Get hash	malicious	Browse
	xVvAobZvWU.exe	Get hash	malicious	Browse
	FAKTURA I RACHUNKI.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELEPOINTBG	VfNmYKR1b7	Get hash	malicious	Browse	78.142.32.102
	Zapytanie ofertowe-ETG4791.exe	Get hash	malicious	Browse	78.128.8.31
	AWB-18267638920511_Pl.exe	Get hash	malicious	Browse	78.128.8.31
	PO0621.exe	Get hash	malicious	Browse	78.128.8.31
	xwKdahKPn8.exe	Get hash	malicious	Browse	79.124.76.247
	N0vpYgIYpv.exe	Get hash	malicious	Browse	79.124.76.20
	dqVPlpmWYt.exe	Get hash	malicious	Browse	78.142.47.220
	Receipt_Dhl_000010000000000000000010.pdf.exe	Get hash	malicious	Browse	78.142.47.93
	00010200390_0192021.pdf.exe	Get hash	malicious	Browse	78.142.47.93
	AWB-182676389205111_ES.exe	Get hash	malicious	Browse	78.128.8.31
	RFxOFFER 373721.exe	Get hash	malicious	Browse	78.128.8.31
	RFxOFFER 373721.exe	Get hash	malicious	Browse	78.128.8.31
	New_Order.exe	Get hash	malicious	Browse	91.148.168.141
	#CMA-CMG.exe	Get hash	malicious	Browse	78.128.8.31
	#CMA-CMB.exe	Get hash	malicious	Browse	78.128.8.31
	FACTURA 6475.exe	Get hash	malicious	Browse	78.128.8.31
	generated order 677120.xlsm	Get hash	malicious	Browse	217.174.152.36
	generated_check_9698936.xlsm	Get hash	malicious	Browse	217.174.152.52
	purchase order 370149.xlsm	Get hash	malicious	Browse	217.174.152.36
	copy of fax 04946.xlsm	Get hash	malicious	Browse	217.174.152.36

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	economic relations.doc	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	dumpservice.vbs	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	Invoice-NBM01557.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	o12nY1xwUl.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	R4qgfTvaiK.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	Zaobz-rdbmw-xdw-f.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	AR2rPMLtaN.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	NEW PO pdf.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	BFE85B846350851DD4F83DFED498AE60F85D4129329C2.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	Aging invoice.html	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	R5L9IoaG67.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	flJrVwWebP.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	QfVER41Fwx.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	1A263B2603212FF1E492D9E0C718F12601789E27EAABA.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	mbVrdKm3zX.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	bHC6bZhkMz.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	5qW61eKDTp.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	WWzUml7m53.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	e7V79qGVJT.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174
	it2TiN2UtR.exe	Get hash	malicious	Browse	216.58.208.129 216.58.208.174

Dropped Files

No context

Created / dropped Files

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	NordVPN directory not found!..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.37444232902198
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Documentos de env#U00edo.exe
File size:	143360
MD5:	a60166d50572eedc2e44b327e4928324
SHA1:	0b5c5afd46ab950959dc1e5fda5520ddae0c51a4
SHA256:	8a714868cf6bea9d1a01154cc98fa33abbe75350f06cf26d31538ed0aba6a808
SHA512:	b3ff28a846c6f0c7f7d54ea3c485be76b76f1d49b497ea79c145b4d2e0b53806d6a254e2b7e6931612fc688874ec85b03e7c50f405f638a18b94394ad111d81c
SSDEEP:	3072:W5CFYJr2EF82w1+AG+TeMn5+oXdFv1x9:PHEbLEzhNFv
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...u.NY.....................0....................@................

File Icon


Icon Hash:	c4e8c8cccce0e8e8

Static PE Info

General
Entrypoint:	0x4014b4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x594EF175 [Sat Jun 24 23:10:45 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	fef384fc3a66a559dff455f07d497ca0

Entrypoint Preview

Instruction
push 00401EC0h
call 00007FB08076E3E3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ah, ch
nop

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x204d4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0xc1c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x190	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1facc	0x20000	False	0.381553649902	data	6.66782218684	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x21000	0x11bc	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x23000	0xc1c	0x1000	False	0.313720703125	data	3.27540208335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x23374	0x8a8	data
RT_GROUP_ICON	0x23360	0x14	data
RT_VERSION	0x230f0	0x270	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaR4Str, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaR8Str, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	PROSODETICDEF
FileVersion	1.00
CompanyName	Intersection Road
Comments	Intersection Road
ProductName	RONTGE
ProductVersion	1.00
OriginalFilename	PROSODETICDEF.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 17:00:34.338813066 CEST	49746	443	192.168.2.3	216.58.208.174
Aug 2, 2021 17:00:34.360301018 CEST	443	49746	216.58.208.174	192.168.2.3
Aug 2, 2021 17:00:34.360454082 CEST	49746	443	192.168.2.3	216.58.208.174
Aug 2, 2021 17:00:34.398952961 CEST	49746	443	192.168.2.3	216.58.208.174
Aug 2, 2021 17:00:34.422363043 CEST	443	49746	216.58.208.174	192.168.2.3
Aug 2, 2021 17:00:34.438225031 CEST	443	49746	216.58.208.174	192.168.2.3
Aug 2, 2021 17:00:34.438266993 CEST	443	49746	216.58.208.174	192.168.2.3
Aug 2, 2021 17:00:34.438297033 CEST	443	49746	216.58.208.174	192.168.2.3
Aug 2, 2021 17:00:34.438332081 CEST	443	49746	216.58.208.174	192.168.2.3
Aug 2, 2021 17:00:34.438374043 CEST	49746	443	192.168.2.3	216.58.208.174
Aug 2, 2021 17:00:34.438457012 CEST	49746	443	192.168.2.3	216.58.208.174
Aug 2, 2021 17:00:34.525110006 CEST	49746	443	192.168.2.3	216.58.208.174
Aug 2, 2021 17:00:34.546905041 CEST	443	49746	216.58.208.174	192.168.2.3
Aug 2, 2021 17:00:34.547039986 CEST	49746	443	192.168.2.3	216.58.208.174
Aug 2, 2021 17:00:34.569781065 CEST	49746	443	192.168.2.3	216.58.208.174
Aug 2, 2021 17:00:34.596438885 CEST	443	49746	216.58.208.174	192.168.2.3
Aug 2, 2021 17:00:35.280466080 CEST	443	49746	216.58.208.174	192.168.2.3
Aug 2, 2021 17:00:35.280524969 CEST	443	49746	216.58.208.174	192.168.2.3
Aug 2, 2021 17:00:35.280565023 CEST	443	49746	216.58.208.174	192.168.2.3
Aug 2, 2021 17:00:35.280608892 CEST	443	49746	216.58.208.174	192.168.2.3
Aug 2, 2021 17:00:35.280726910 CEST	49746	443	192.168.2.3	216.58.208.174
Aug 2, 2021 17:00:35.280823946 CEST	49746	443	192.168.2.3	216.58.208.174
Aug 2, 2021 17:00:35.372680902 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.393856049 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.394048929 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.395579100 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.416757107 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.433420897 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.433475971 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.433569908 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.433595896 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.433605909 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.433725119 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.433731079 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.433747053 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.433845997 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.450187922 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.472893953 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.472994089 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.473820925 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.499691010 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.765315056 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.765347958 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.765367031 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.765388966 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.765412092 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.765450954 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.765525103 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.765532970 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.766763926 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.766793966 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.766855955 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.766880989 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.768345118 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.768367052 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.768423080 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.768450975 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.769890070 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.769920111 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.769964933 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.769984007 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.771447897 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.771473885 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.771557093 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.771579027 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.772995949 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.773022890 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.773088932 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.773114920 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.774578094 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.775125980 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.786448002 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.786480904 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.786536932 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.786581039 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.787178993 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.787215948 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.787267923 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.787298918 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.788737059 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.788764954 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.788822889 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.790267944 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.790292025 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.790357113 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.790383101 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.791872978 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.791899920 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.791950941 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.791974068 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.793534040 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.793560982 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.793615103 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.793641090 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.795005083 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.795037985 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.795109987 CEST	49747	443	192.168.2.3	216.58.208.129
Aug 2, 2021 17:00:35.796602964 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.796659946 CEST	443	49747	216.58.208.129	192.168.2.3
Aug 2, 2021 17:00:35.796688080 CEST	49747	443	192.168.2.3	216.58.208.129

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 16:56:55.567585945 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:56:55.592525005 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 2, 2021 16:56:56.659517050 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:56:56.687064886 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 2, 2021 16:56:58.562406063 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:56:58.596236944 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:01.436415911 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:01.462224007 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:04.115099907 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:04.140150070 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:05.099077940 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:05.139965057 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:05.758502960 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:05.784557104 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:06.762748957 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:06.795519114 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:07.785878897 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:07.811289072 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:08.831943989 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:08.866193056 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:09.937596083 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:09.965112925 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:10.554968119 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:10.582675934 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:11.175050020 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:11.202613115 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:12.215919018 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:12.243463039 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:12.852411985 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:12.878633976 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:13.503043890 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:13.528069019 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:27.573021889 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:27.616233110 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:30.643105984 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:30.680594921 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 2, 2021 16:57:44.806967974 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:57:44.860752106 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 2, 2021 16:58:02.608850002 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:58:02.649127007 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 2, 2021 16:58:08.086823940 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:58:08.121056080 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 2, 2021 16:58:39.202707052 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:58:39.246503115 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 2, 2021 16:58:41.927797079 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:58:41.971268892 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 2, 2021 16:59:49.285362005 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:59:49.363018036 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 2, 2021 16:59:51.279289961 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:59:51.318583012 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 2, 2021 16:59:52.192172050 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:59:52.224678993 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 2, 2021 16:59:52.602555990 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:59:52.635065079 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 2, 2021 16:59:53.053513050 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:59:53.087201118 CEST	53	60633	8.8.8.8	192.168.2.3
Aug 2, 2021 16:59:53.625606060 CEST	61292	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:59:53.659023046 CEST	53	61292	8.8.8.8	192.168.2.3
Aug 2, 2021 16:59:54.109380960 CEST	63619	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:59:54.144692898 CEST	53	63619	8.8.8.8	192.168.2.3
Aug 2, 2021 16:59:56.510467052 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:59:56.543087959 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 2, 2021 16:59:58.192559004 CEST	61946	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:59:58.225089073 CEST	53	61946	8.8.8.8	192.168.2.3
Aug 2, 2021 16:59:58.567750931 CEST	64910	53	192.168.2.3	8.8.8.8
Aug 2, 2021 16:59:58.592955112 CEST	53	64910	8.8.8.8	192.168.2.3
Aug 2, 2021 17:00:34.271162987 CEST	52123	53	192.168.2.3	8.8.8.8
Aug 2, 2021 17:00:34.312190056 CEST	53	52123	8.8.8.8	192.168.2.3
Aug 2, 2021 17:00:35.310036898 CEST	56130	53	192.168.2.3	8.8.8.8
Aug 2, 2021 17:00:35.367260933 CEST	53	56130	8.8.8.8	192.168.2.3
Aug 2, 2021 17:01:50.753842115 CEST	56338	53	192.168.2.3	8.8.8.8
Aug 2, 2021 17:01:50.789350033 CEST	53	56338	8.8.8.8	192.168.2.3
Aug 2, 2021 17:01:50.937465906 CEST	59420	53	192.168.2.3	8.8.8.8
Aug 2, 2021 17:01:50.971564054 CEST	53	59420	8.8.8.8	192.168.2.3
Aug 2, 2021 17:01:51.334006071 CEST	58784	53	192.168.2.3	8.8.8.8
Aug 2, 2021 17:01:51.374604940 CEST	53	58784	8.8.8.8	192.168.2.3
Aug 2, 2021 17:01:54.350487947 CEST	63978	53	192.168.2.3	8.8.8.8
Aug 2, 2021 17:01:54.390949965 CEST	53	63978	8.8.8.8	192.168.2.3
Aug 2, 2021 17:01:57.951273918 CEST	62938	53	192.168.2.3	8.8.8.8
Aug 2, 2021 17:01:57.997874022 CEST	53	62938	8.8.8.8	192.168.2.3
Aug 2, 2021 17:01:58.277338982 CEST	55708	53	192.168.2.3	8.8.8.8
Aug 2, 2021 17:01:58.320988894 CEST	53	55708	8.8.8.8	192.168.2.3
Aug 2, 2021 17:02:15.230190992 CEST	56803	53	192.168.2.3	8.8.8.8
Aug 2, 2021 17:02:15.293793917 CEST	53	56803	8.8.8.8	192.168.2.3
Aug 2, 2021 17:02:15.303226948 CEST	57145	53	192.168.2.3	8.8.8.8
Aug 2, 2021 17:02:15.368041992 CEST	53	57145	8.8.8.8	192.168.2.3
Aug 2, 2021 17:04:12.082567930 CEST	55359	53	192.168.2.3	8.8.8.8
Aug 2, 2021 17:04:12.131478071 CEST	53	55359	8.8.8.8	192.168.2.3
Aug 2, 2021 17:04:46.497484922 CEST	58306	53	192.168.2.3	8.8.8.8
Aug 2, 2021 17:04:46.538428068 CEST	53	58306	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 2, 2021 17:00:34.271162987 CEST	192.168.2.3	8.8.8.8	0xd6e8	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)
Aug 2, 2021 17:00:35.310036898 CEST	192.168.2.3	8.8.8.8	0xa4de	Standard query (0)	doc-10-00-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Aug 2, 2021 17:02:15.230190992 CEST	192.168.2.3	8.8.8.8	0x80de	Standard query (0)	mail.brimaq.com	A (IP address)	IN (0x0001)
Aug 2, 2021 17:02:15.303226948 CEST	192.168.2.3	8.8.8.8	0xe5bb	Standard query (0)	mail.brimaq.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 2, 2021 17:00:34.312190056 CEST	8.8.8.8	192.168.2.3	0xd6e8	No error (0)	drive.google.com		216.58.208.174	A (IP address)	IN (0x0001)
Aug 2, 2021 17:00:35.367260933 CEST	8.8.8.8	192.168.2.3	0xa4de	No error (0)	doc-10-00-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Aug 2, 2021 17:00:35.367260933 CEST	8.8.8.8	192.168.2.3	0xa4de	No error (0)	googlehosted.l.googleusercontent.com		216.58.208.129	A (IP address)	IN (0x0001)
Aug 2, 2021 17:01:50.789350033 CEST	8.8.8.8	192.168.2.3	0x9bac	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Aug 2, 2021 17:02:15.293793917 CEST	8.8.8.8	192.168.2.3	0x80de	No error (0)	mail.brimaq.com	brimaq.com		CNAME (Canonical name)	IN (0x0001)
Aug 2, 2021 17:02:15.293793917 CEST	8.8.8.8	192.168.2.3	0x80de	No error (0)	brimaq.com		78.128.8.31	A (IP address)	IN (0x0001)
Aug 2, 2021 17:02:15.368041992 CEST	8.8.8.8	192.168.2.3	0xe5bb	No error (0)	mail.brimaq.com	brimaq.com		CNAME (Canonical name)	IN (0x0001)
Aug 2, 2021 17:02:15.368041992 CEST	8.8.8.8	192.168.2.3	0xe5bb	No error (0)	brimaq.com		78.128.8.31	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 2, 2021 17:00:34.438332081 CEST	216.58.208.174	443	192.168.2.3	49746	CN=*.google.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Mon Jun 28 03:38:45 CEST 2021 Thu Jun 15 02:00:42 CEST 2017	Mon Sep 20 03:38:44 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Aug 2, 2021 17:00:34.438332081 CEST	216.58.208.174	443	192.168.2.3	49746	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19
Aug 2, 2021 17:00:35.433747053 CEST	216.58.208.129	443	192.168.2.3	49747	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Mon Jun 28 05:06:51 CEST 2021 Thu Jun 15 02:00:42 CEST 2017	Mon Sep 20 05:06:50 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Aug 2, 2021 17:00:35.433747053 CEST	216.58.208.129	443	192.168.2.3	49747	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 2, 2021 17:02:15.702640057 CEST	587	49754	78.128.8.31	192.168.2.3	220-srvr.laprimeracloud08.com ESMTP Exim 4.94.2 #2 Mon, 02 Aug 2021 17:02:16 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Aug 2, 2021 17:02:15.703107119 CEST	49754	587	192.168.2.3	78.128.8.31	EHLO 347688
Aug 2, 2021 17:02:15.756469011 CEST	587	49754	78.128.8.31	192.168.2.3	250-srvr.laprimeracloud08.com Hello 347688 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 2, 2021 17:02:15.757208109 CEST	49754	587	192.168.2.3	78.128.8.31	STARTTLS
Aug 2, 2021 17:02:15.813966990 CEST	587	49754	78.128.8.31	192.168.2.3	220 TLS go ahead

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Documentos de env#U00edo.exe PID: 5448 Parent PID: 5680

General

Start time:	16:57:01
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\Documentos de env#U00edo.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Documentos de env#U00edo.exe'
Imagebase:	0x400000
File size:	143360 bytes
MD5 hash:	A60166D50572EEDC2E44B327E4928324
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: RegAsm.exe PID: 5088 Parent PID: 5448

General

Start time:	16:58:51
Start date:	02/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Documentos de env#U00edo.exe'
Imagebase:	0xa70000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exe PID: 5024 Parent PID: 5088

General

Start time:	16:58:51
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Documentos de env#U00edo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Networking:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

SMTP Packets

Code Manipulations

Statistics